Google Wallet Security Questioned


Two security flaws were reported in as many days in Google Wallet, raising questions about the company's electronic system for making purchases with an Android smartphone.

The blog The Smartphone Champ reported Thursday a vulnerability that made it easy to gain access to the prepaid card in Google Wallet.

A person only needed to go to the application settings and clear the data. Once that was done, Google Wallet would ask the user to set a new password, which would enable the person to make charges on the prepaid card. Such a process would not work to make purchases on the stored credit card number.

Google planned to release an automated fix for the flaw Friday, a spokesman said.

The other reported vulnerability was discovered by Zvelo, a Greenwood Village, Ore-based specialist in malicious Web site detection. Joshua Rubin, a senior software engineer at Zvelo, found the four-digit Google Wallet password and was able to decrypt it. Google Wallet allows five password-entry attempts before locking the person out. Rubin says he hit on the correct password in the first attempt. "It's not hard," he said.

Rubin found the password, because it is stored in the application database, not in the special chip, called a Secure Element, where credit-card numbers are stored. That technology is controlled by the bank issuing the card.

While acknowledging Rubin's discovery, Google pointed out that the engineer used a phone in which the security mechanisms had been shut
down through a process called rooting. Tech-savvy people will root a phone to replace system applications and settings and run specialized apps.

If a person had someone else's Android smartphone and tried to alter its security architecture, all user data within the phone would automatically be wiped out, including all Google Wallet data. "To date, there is no known vulnerability that enables someone to take a consumer phone and gain access while preserving any Wallet information such as the PIN (personal identification number)," a Google spokesman said.

The impact of such vulnerabilities on consumers is small, given that Google Wallet is not widely used. Nevertheless, convincing consumers that credit card numbers are protected is a focus of any payment service, so security disclosures are bound to raise concerns. "Once attackers get your PIN, they have full access to any credit-card information stored in the app, and they can use your phone to make purchases," Jimmy Shah, a mobile security research expert at McAfee, said in the company's blog. McAfee sells security software for smartphones.

Google Wallet is only available on one phone, the Samsung Nexus S 4G, which runs Google's Android operating system. Sprint is the only carrier that supports Google Wallet. The other major carriers, AT&T, Verizon Wireless and T-Mobile, are preparing to compete with Google through a joint venture called Isis. Last year, the carriers announced plans to invest more than $100 million into the mobile payment system.

Both services turn a smartphone into an electronic credit card. Tapping the phone on a reader completes the transaction at a retail store. The market for such payment services could reach $670 billion by 2015, according to Juniper Research.