Google's Digital Wallet: A Better Mousetrap?

The new Google Wallet mobile payment technology is a step forward, security experts say, but it still has weaknesses that could make it vulnerable to attack.

The new application for Android phones, which was introduced last week, stores payment information using encryption. The encryption keys are stored in a specialized hardware chip known as the Secure Element. The product uses near-field communications to send data to payment terminals, completing transactions.

Google Wallet will be an open standard, officials say, so that any credit-card company can use it to store payment details.

Security researchers expect the technology to improve upon the current protections used for credit-card transactions.

"The bar for physical credit-card transaction security is pretty low, and it's hard to imagine a system that is less secure [than physical credit card systems]," says Charlie Miller, principal research consultant at Accuvant. "My general feeling is that Google's technology can't be any worse than a physical credit card. If you lose [a credit card], you're screwed, and if someone gets access to it or very close to it, they can copy the info."

Google Wallet protects payment data using the encryption hardware provided by the Secure Element, along with public-key encryption and triple DES encryption. This approach is not new: Many laptops sport similar hardware from the Trusted Computing alliance, which uses a separate encryption processor and data store to lock down important keys. Only a program with the proper authentication can access those keys.

Google stressed that the Secure Element and the Trusted Platform Module are two different technologies and have different applications. The Secure Element runs the Java Card Open Platform (JCOP), a popular smartcard operating system, which can be used to add functionality to stored accounts. Access to the data in the Secure Element is governed by the Trusted Service Manager, Google's engineering team stated in an e-mail interview.

The user has to enter in a four-digit PIN and put their phone on a reader to complete a transaction. Google has partnered with Mastercard and its PayPass payment system to support the technology. The Wallet app has additional security precautions above and beyond those enforced by Mastercard's PayPass infrastructure. The app will only communicate with a transceiver if the phone's screen is on and the PIN has been entered, the team said.

"If a user enters the PIN incorrectly too many times, the Secure Element is disabled and the payment instruments cannot be used at all," Google's engineering team stated. "To be used again for payment, the Secure Element must be reset by a combination of the Trusted Service Manager and the user. This process removes all previously provisioned payment instruments."

Google Wallet could improve transaction security, says Kevin Mahaffey, CTO at mobile security provider Lookout. "The promise of digital wallets can help us get more secure than the current implementation of credit cards, in my mind," he says.

Security experts warned that the implementation has not yet been vetted by the security community.

"I'm impressed by the level of care that Google has put into the security of the digital wallet," says Lookout's Mahaffey. "But I've never seen a technology that has perfect security right out of the box."

Malware could make it difficult to retrieve the keys, essentially performing a denial-of-service attack against the payment system, researchers say. Or a program could, theoretically, break out of the sandbox and eavesdrop on a transaction.

"Attackers who are in this for the money don't attack one person, they attack a million," Mahaffey says. "Until we see the product and we have people banging on it, we won't understand the security."

The near-field communications (NFC) transaction could also be attacked, says Jimmy Shah, a mobile security researcher with security firm McAfee. An attack known as Ghost and Leech was able to siphon details from NFC-enabled credit cards sitting in a victim's wallet, essentially allowing them to be pickpocketed. Such attacks could work against Google Wallet as well, he says.

"The weak point isn't the chip," Shah says. "It's the app itself."

In the end, perhaps the biggest flaw in Google's Android-based payment technology is that smartphones are regularly lost. More than a third of consumers have had a cell phone lost or stolen, according to a report published by Norton in February. Four in 10 companies have had phones lost or stolen in the last year, according to a study conducted by Carnegie Mellon University's CyLab and funded by security firm McAfee.

If an attacker has the phone, all bets are off, experts say. In that case, Google recommends that users report the phone -- and all credit cards on it -- as lost.

So far, the Google Wallet is only supported on a single phone, the Sprint Nexus S.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.