Google made good on predictions that it would unveil an NFC mobile payment system at a media event today–sharing details of the new Google Wallet. The idea of completing purchases with a swipe of the smartphone is compelling, but it seems like using your smartphone as a wireless wallet is an invitation for having your credit card data compromised.
Google has partnered with Citibank to include native support for Citicard credit cards, but Google was smart enough not to paint Google Wallet into a corner with just one card. Google Wallet also include a Google payment option that can be pre-filled using funds from any credit card.
OK–maybe you should still carry your wallet for now. Google Wallet is only being rolled out in two cities (New York and San Francisco), only works if Sprint is your wireless provider, and you happen to have an NFC-equipped Android smartphone, and you are shopping at one of a small handful of retailers. With so many conditions, you will still need that old-fashioned credit card for most of your purchases.
But, that is today–or this year, when Google Wallet actually launches. It is virtually inevitable that the concept of mobile payments using a smartphone will gain traction and become a mainstream means of transacting money. When that happens, though, should you be concerned about the security implications of having your credit card data available in your smartphone? With all of the data breaches that keep making headlines, is it crazy to trust Google with your sensitive financial information?
Oliver Lavery, Director of Security Research and Development for nCircle, says no. “I don’t think it’s crazy to trust credit card data to Google Phones. While there have been high profile breaches like Sony and Epsilon recently, these were breaches in systems where security wasn’t a front-and-center concern. I think we can be reasonably confident in the security design of a system designed to manage financial transactions.”
Fred Touchette, Senior Security Analyst for AppRiver, agrees. “While it’s true there have been a lot of security breaches as of late, the truth is that most people that have shopped or currently shop online already have their data stored somewhere out in the cloud which already makes them a potential target.”
Google has, in fact, given serious thought to security and has controls in place that should protect user data. Credit card information is encrypted and stored on a tamper-resistant chip that is segregated from the core Android OS, and only accessible by authorized programs. Google expects that users will use the PIN security to lock the smartphone itself, but in addition the Google Wallet has a separate PIN.
A Google spokesperson explained to me that a third PIN is required–or at least can be configured to be required–at the time of the actual transaction, so even if your Android smartphone is lost or stolen, it should not be possible for a thief to make any unauthorized transactions.
As for the risk of an attacker using some sort of rogue NFC terminal to try and wirelessly capture your data, the Google spokesperson reiterated that with all of the PIN requirements a rogue NFC terminal would not be able to complete a transaction, but added that the smartphone has to be so close to the terminal to complete the transaction that there is virtually no risk of getting hacked by something that is just in close proximity. The spokesperson explained that an attacker would have an easier time just stealing your actual wallet.
Lavery notes that there is a bit of a culture shift that needs to happen for users to associate the fact that an unlocked smartphone grants access to a variety of sensitive information. “Many people don’t set PINs on their phone, in spite of how easily this sort of device can be lost or stolen.”
Touchette cautions that mobile payments are a new ballgame, and that Google is a big target that is bound to draw attention. Never underestimate the innovative creativity of hackers–especially when there is money involved. Touchette recommends that users designate a separate credit card with a relatively low balance specifically for mobile payments in order to minimize the potential fallout of a breach.
The bottom line is that mobile payment systems in general, and Google Wallet specifically, are not any more insecure than any other transaction you might make using your credit card. The data is being read, processed, transmitted, and stored on way or another. With the precautions Google has taken, there is not necessarily a need for any additional security, but users should always be vigilant about safeguarding their personal information and credit card data.