Citi’s Security Breach Has Google Checking its Wallet
Well, add another big-name to the list of victims of the recent cyber crime spree.
Last week, Citigroup (NYSE: C) joined the growing number of cyber sufferers when it announced that hackers had gained access to credit data belonging to 360,000 Citi cardholders in North America.
According to Reuters, “Experts called it the largest direct attack on a major U.S. financial institution and said it could prompt an overhaul of the banking industry’s data security measures.”
Understandably, the attack has consumers on edge. Hot on the heels of a cyber attack on Sony’s (NYSE: SNE) PlayStation Network, the fact that hackers were able to jump right to the source and access credit card data is disturbing.
So how is Google tackling its security?
Even Dr. Evil’s Laser Beams Aren’t a Threat
When it comes to mobile payment applications, security starts with the NFC (Near-Field Communication) chip itself.
Made by NXP Semiconductors (Nasdaq: NXPI), this chip is stored in the phone and holds important credit card information.
Some analysts have spotted potential problems with the model, though, since it could leave the chip vulnerable to malicious mobile applications.
As ThreatMetrix Chief Products Officer, Alisdair Faulkner, told eWeek: “I can put my credit card in my wallet, but my driver’s license isn’t going to try to communicate with it in any way… Anywhere that you have stored value, that’s going to be something that criminals are going to attack.”
But fear not.
Besides being tamper and laser resistant (seriously), eWeek explains that the chip is completely “isolated from the phone’s operating system and hardware.” And it “uses cryptography (PKI [Public Key Infrastructure] and Triple-DES [Data Encryption Standard]) and memory protection.”
Quite a mouthful, I know. But to put it simply, Triple DES means that the data is encrypted three-times over. It’s the same technology that ATMs have used for years. And based on new PCI security standards, merchants are now required to use Triple DES in their debit pin pads.
In other words, it’s about as secure as you can get right now. And to top it off, since the NFC chip stays separate from the phone’s operating system, only authorized programs (i.e. Google Wallet) can gain entry to the data.
But chip-hacking is just one security issue…
Why Subway Gropers Can’t Infiltrate NFC Data
The “near-field” aspect of NFC payments is also raising some hackles.
Consider that if all it takes to access my credit card data is a simple tap, what’s to stop someone with a rogue NFC terminal from shuffling through a crowded subway and snagging credit data from pocketed smartphones?
The answer: Three separate PIN codes.
- As I’ve mentioned before, in order to sign into Google Wallet, you need to enter a four-digit PIN. No PIN code = no payment. That alone makes it more secure than credit cards, which you can use to buy anything with a simple swish of a pen on paper.
- Add an extra layer of security by using a code that unlocks the phone itself.
- And for the uber-security-conscious consumer, PCWorld explains that a third PIN can also be used “at the time of the actual transaction, so even if your Android smartphone is lost or stolen, it shouldn’t be possible for a thief to make any unauthorized transactions.”
Add it all up – tamper resistance, three levels of encryption and three PIN codes – and Google Wallet is a heck of a lot safer than carrying around plastic, or even shopping online.
As Fred Touchette, Senior Security Analyst for AppRiver, says, “While it’s true there have been a lot of security breaches lately, the truth is that most people who shop online already have their payment data stored somewhere out in the cloud, which already makes them a potential target.”