NFC Alert: Google Wallet Security Loopholes Discovered
UPDATE: The security issue involving prepaid cards outlined below has since been resolved. Google is now in the process of rolling out the necessary updates.
As I wrote last week, PayPal’s nascent mobile payment offering is bound to put more pressure on competing services based on Near-Field Communication (NFC) technology.
Wall Street Daily readers know that I’ve been trumpeting the benefits of NFC for months now.
Mainly because it’s a more secure payment method than cash and credit cards, since credit information stored in NFC chips is encrypted three times over, like an ATM.
And I’ve been especially optimistic about Google’s (Nasdaq: GOOG) NFC mobile payment offering – Google Wallet – because it requires a PIN code to make a purchase at the point-of-sale, adding an extra layer of security to the technology.
Unfortunately for Google Wallet, the application’s security has come under question, based on reports last week that showed how gaining access to a user’s account isn’t as difficult as it seems.
Here’s a quick rundown of each security breach – and how to make sure your money is safe.
Rooted Devices Are Particularly Exposed
Security firm, Zvelo, discovered that sensitive information – including your Google Wallet PIN code – isn’t stored exclusively in the NFC chip after all.
Simply put, at some point during the application’s communication with the NFC chip, the PIN code is recorded on the phone itself.
Granted, the information is encrypted. But Zvelo proved that the PIN can be easily extracted in seconds.
Don’t fret, though.
As Google pointed out to Fast Company, a thief would only be able to exploit this vulnerability if the user had previously rooted the device – i.e. – hacked it to gain deeper access to the operating system.
So consumers who are running the stock version of Android on their phones are safe.
The same can’t be said about this next security glitch, however…
Turning the NFC Chip Against Itself
Another vulnerability allows anyone with access to your phone to make purchases using Google Wallet funds.
Essentially, all they need to do is open up the phone’s settings and clear the data associated with the Google Wallet app. This removes the current user’s PIN code information, so a thief can simply open the app and create a new PIN number.
But that shouldn’t be a problem, because your payment information has also been cleared along with the original PIN code, right?
Remember, your card information is stored on the NFC chip – not the phone. Which is supposed to keep your money more secure.
The problem is, it also means that your Google prepaid card information is still linked to Google Wallet, even with a new PIN code. Meaning a thief can start making purchases with your prepaid card as soon as he enters the new passcode.
The worst part is, all Google Wallet users are at risk in this case, not just those with rooted devices.
So if you haven’t done so already, perhaps it’s time to set your phone up to require a code to unlock the device. That way, anyone without your code won’t be able to access the Google Wallet app at all, since the phone needs to be unlocked to perform a transaction.
Still, this is a careless error on Google’s part, one that should have been caught before the application went public, and certainly during the last eight months following Google Wallet’s debut.
Google has since blocked new users from creating prepaid card accounts, and the company reports that it’s working on a solution to fix both issues described above.
It had better work fast, though. With PayPal turning up the heat in the space – and the mobile carriers’ NFC competitor, ISIS, inching closer to a release date – Google can’t afford to scare consumers away with blatant security missteps.