Google’s effort to make mobile payment secured by using near field communications (NFC) technology from smartphones, is not so successful, said security experts.
Google assures that no malicious applications can have access to the data stored by Google Wallet as Android enforces strict policies to ensure security.
The data stored in NXP PN65K chip in the Samsung Nexus S 4G smartphone is isolated from the phone's operating system and hardware and uses cryptography (PKI and Triple-DES) and memory protection, making it a tough nut to crack.
However, Google wallet cannot read or write data from the Secure Element's memory.
McAfee security research Jimmy Shah thinks Android might be the best entry point for a perpetrator because Android apps are relatively easy to reverse-engineer.
From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards, Shah wrote in his blog.
Lookout Mobile Security CTO Kevin Mahaffey agrees with Shah and says that an app could exploit the software in the Secure Element, enabling a hacker to grab credit card info.
The 4-digit PIN, which is used to transmit payment credential, if abandoned might make a user susceptible to a man in the middle attack, said Mahaffey. In this attack, a perpetrator can read and relay a user's NFC signal and swipe their credentials when they make a purchase.
ThreatMetrix Chief Products Officer Alisdair Faulkne said,The analogy I would use is that I can put my credit card in my wallet, but my driver's license isn't going to try and communicate with it in any way. Anywhere that you have stored value, that is going to be something that criminals are going to attack.
Never before in history have we had this kind of financial data and credentials stored on a device, which we know fundamentally can never be trusted, he said.