UPDATED 12:38 EDT / FEBRUARY 09 2012

NEWS

Google Wallet Security Woes Don’t Reflect Poorly on NFC or Mobility

With the climb of mobile banking, and now the event horizon for the use of mobile phones as wallets, we’re going to start seeing a great deal more security issues also appear in this financial forest. Recently, a security research team discovered that the PIN number used by Google Wallet to secure payments on-the-go could be easily discovered by an attacker with ownership of the phone, thus essentially opening up the owner of the account to treachery.

However, we also now know that this doesn’t mean what it seems to mean for the security of mobile payments.

The first thing to understand is that NFC devices that act in the capacity of credit or debit cards are replacing those cards and cards have zero security. If the PIN is discovered and the card is lost the owner of the card will find themselves in dire straits—well, they just need to call the bank and cancel the card.

In the case of Google Wallet, not only does the owner of the phone need to have their phone taken from them, but they must not be running any security on it at all. First, the phone must be rooted (a task that mostly only power-users do), second the phone must not have a screen lock enabled (basic security everyone with a phone should have), and third it mustn’t have full-disk-encryption enabled (another power-user activity but still a strong security move.)

Security firm Zvelo discovered this security loophole while attempting to confirm another issue with Google Wallet pertaining to privacy (also alleviated by the above actions) but they also discovered that the PIN happened to be in a place where it was less protected. Near-Field Communication devices have a secure hardware chip that allows apps to store highly secure information separate from the OS and storage on the mobile phone itself—to prevent attackers from getting easy access to it—however, Google Wallet simply encrypts the PIN on the phone itself.

“Knowing that the PIN can only be a 4-digit numeric value,” wrote Joshua Rubin, security researcher for Zvelo, “it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time.” Here, SHA refers to an encryption algorithm commonly used to protect everything from passwords to secure communications; it’s currently one of the strongest used in the industry.

The sorter the information encrypted the easier it is to brute force (i.e. guess over and over). Only ten-thousand hashes to guess also trivially small for a computer that can make many guesses a second. However, as said above, the attacker would have to steal the phone first. This is not a vulnerability that allows anyone to get at it remotely; the thief must have full access to the storage on the phone.

As mentioned above Google could have made this more secure, but it’s already more secure than a credit card on its own. If Google were to change the architecture of their Google Wallet to use the NFC secure chip instead it would mean that attackers couldn’t just attempt to guess the PIN over and over. Protocols to protect the PIN would kick in after 4 or 5 wrong guesses and lock the phone either temporarily or until the PIN was reset making brute-force impractical or impossible.

Knowing this we can expect that future NFC wallet apps will be much more secure than much of what we already use today.

As usual, people who use their smartphones to make on-the-go payments should weigh their security against their convenience. First, if you’re not a power-user, don’t root your phone. Second, if you are a power-user, you probably know better than to leave the phone unlocked anyway and you probably already know how to turn on and use full-disk encryption. It’s always wise to follow a protocol for keeping your phone secure.

After all, if you lose your phone with all sorts of personal information on it (including outgoing calls, e-mails, address book, etc.) why let that fall into the wrong hands?


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU