Stay calm and carry on, people: It’s way too soon to say that NFC should stand for Now Fatally Corrupted. Yes, Google’s breakthrough NFC payments app Wallet is being mentioned all over the news thanks to a flaw–it’s vulnerable to a hack that gives nefarious types access to your secure PIN number. But don’t believe any doomsayers or fearmongering that you may encounter on this matter; it’s not as evil as it seems and, believe it or not, it’s actually a sign that the future of wireless mobile payments is probably more secure than your current credit card.
As reported over at the blog of security firm Zvelo, Google’s Wallet app has a wicked flaw right at its core. Wallet works as a three-way system, you see, with the official app running on your smartphone, a hardware chip inside the phone called the secure element, and the participation of the banks at the other end of the data pipeline (ready to check it’s all legit and say “okay” when you swipe your phone at a merchant and say, in effect, “please pay this store $X amount”).
The security loophole that Zvelo uncovered comes right at the point that the app talks to the secure element, because as an additional security feature–extra to those in place when you actually pay for something–the secure element requires you to enter a PIN number when you activate it after an interval. Thanks to what looks like a bit of sloppy coding by Google, this PIN is stored in an encrypted form on the phone, and if your phone is rooted then a malicious app could use the phone’s own prodigious mobile computing power to crunch the encryption and work out your PIN, in a matter of moments:
This means that if someone got ahold of your phone illegitimately, they could fairly swiftly have direct access to your PIN number and thus activate all the goodies hidden inside Wallet, including your stored credit card numbers and transaction history. That’s an opportunity to be pretty evil, right there–though it’s worth noting it doesn’t affect the wireless payment system security itself.
But here’s the thing: Your phone would have to be rooted, meaning you’d adjusted its Android code to allow you deep access to the operating system (not something every, or even most, Android users would ever do). And the thief would have to have direct physical access to your phone for a decent space of time to root it if you hadn’t, and to run the special app. Google has already begun work on a fix, subject to a tricky battle with the banks over where responsibility for the encryption should lie (our question: why can’t Google just show the numbers in the app as **** **** etc., as many online stores would do? It would deter this access). Even Zvelo itself notes that if you’re a security-aware Android user you can put many barriers in the way of a thief performing the hack by encrypting the device and by making sure it has effective homescreen password locks.
If you think about it, this is actually an endorsement for the future security of wireless payments. If someone stole your current-generation plastic credit card, then there are none of these “extra” barriers in the way of the thief using it. Google around for news about “credit card theft” and you’ll see endless examples all over the world of theft by cloned cards, faked signatures, stolen PINs for chip-and-PIN cards (something the U.S. will have to worry about soon) and so on. A single case in a single U.S. city–New York–in late 2011 involved $13 million in theft using stolen cards over a 16-month interval, and the crime is so common that credit card numbers are sold on the black market through a bizarre criminal “bazaar” for as little as $3.50 a pop. In 2009, it was found that card fraud was the number one fear of Americans, above terrorism, partly because of memories of the global economic crisis.
Your current plastic card, you see, is pretty vulnerable to fraudulent use. Yes, there are plenty of security protocols in place, and the tech to keep them safe is getting better–with chip-and-PIN being perhaps the best at the moment. But as criminal tech exploitation advances, the implications of physically losing your card or having it cloned at a merchant are getting bigger (we won’t talk about online fraud–that’s a separate issue, related to how we process payments over the web). Even the brand-new NFC credit cards are a little at risk because although they are more secure, if they’re stolen then they’re more or less as vulnerable as a normal card.
But if your payment data is wrapped up in an app on your smartphone, then thieves have to make a whole paradigm leap in tech savviness to get at the information and then make fraudulent payments. And if you do lose your phone–something that’s perhaps harder to do than lose a tiny sliver of plastic card–you’re more likely to notice, and with many of the over-the-air security systems now available you may even be able to wipe its contents and remove all data before the thief can access it. It’s easy to imagine Apple, for example, beefing up the “find my iPhone” app to include a “nuke my card data” button if it ever enables NFC payments. Plus if there is a vulnerability exposed in these smartphone-based system in the future, it may be fixable by an over-the-air update, which is a feature that simply couldn’t happen with current card tech.
You may have to become a little more tech-aware yourself to make the most of all this security, but that shouldn’t be a problem–after all, we’re the Facebook generation, right?
Update: Google has been in touch directly with us at Fast Company to talk about their position and clear up misunderstandings about the information (is that a sign of a company acutely aware of the power of online news?). Google would like to point out that
“The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone”
That’s all perfectly reasonable, particularly the bit about not messing with the pre-installed OS systems lest you upset, or completely bypass, any security that’s installed to prevent this sort of mishap. Google also took pains to point out that the notion that someone could access your data on a stolen phone if it hadn’t already been rooted by the owner. If such action is taken, however, Google points out our assertion is wrong and assures us that “all data, including the Wallet is wiped.” That’s a particularly potent way of ensuring your precious credit card information is zeroed before anyone malicious can get their hands on it. We stand corrected, but as we suggested, this actually means your Wallet virtual “credit card” is actually more secure than a plastic one.
Update Two: Google has felt pressured over this matter, and another similar one where user’s pre-paid credit can be exposed and accessed, and has felt the need to vigorously defend its technology (to the point it’s emailed this author directly about its thoughts). Firstly it’s suspended new pre-paid cards, giving it time to come up with a tech fix for the second hack–we’re not talking about a lot of money here, but it was another embarassing glitch. Secondly the VP for Google Wallet and Payments, Osama Bedier, has stepped up with a new blog posting on Google that effectively restates the position of our original article here: Wallet is actually safer than your traditional credit card for all the reasons set out in the first part of this story. You shouldn’t root or otherwise circument your Android phone’s systems, though, lest you expose your data in a risky way, but otherwise it’s safe. That’s Bedier’s message.
[Image: Flickr user boliston]