Digital Transactions Authoritative, insightful and timely information for payments professionals
Google Inc. late on Tuesday announced a solution for a security flaw in its mobile wallet that allows hackers to gain access to wallet owners’ prepaid accounts. Google also said it had, on Monday afternoon, restored the ability to load funds on new prepaid cards. In response to the flaw, the Internet company over the weekend suspended loading of existing as well as new cards while it scrambled to craft a more workable solution.
Details of the solution were not immediately available, though a Google spokesperson says that Wallet users who want to reprovision an existing card can do so by calling Google. The announcement, which occurred in an update to a blog posting by Osama Bedier, vice president of Google Wallet and Payments, did not elaborate but said, “We are not aware of any abuse of prepaid cards or the Wallet PIN.” The Google spokesperson tells Digital Transactions News that a “permanent fix” is still being worked on, but would not say when it will become available.
When it does become available, the permanent fix might be difficult for some users to obtain. Only one phone, the Samsung Nexus S 4G, and one wireless carrier, Sprint, officially support Google Wallet. Still, “people want the app and are going to extreme measures” to get it, says Joshua Rubin, a senior engineer at Greenwood Village, Colo.-based security firm Zvelo Inc. Such measures include so-called sideloading, he says, a method in which people using unsupported phones or networks jury-rig the Google application to work on their device. These people won’t be able to obtain the Google update automatically and will have to take other steps to avoid being unprotected, Rubin warns.
The discovery of the prepaid vulnerability was part of a one-two punch Google’s fledgling mobile product took last week from security experts. A few days earlier, Rubin had posted an account of how he and other engineers at Zvelo were able to use the handset’s own intelligence to derive the PIN that protects the wallet. This so-called brute-force attack would open the entire wallet to a hacker who has gained access to the phone. “To me, the mistake with the PIN was far more fundamental” than the prepaid flaw, says Andrew Hoog, chief investigative office at viaForensics, a Chicago-based security firm that has examined the Google Wallet.
A fix for this flaw may be longer in coming. According to Rubin, the basic problem is that PIN verification occurs outside the secure element, the chip that holds card numbers and other key credentials. Storing PINs in the secure element, however, could transfer responsibility for authentication to participating banks, which in turn would trigger a number of regulatory burdens. “We are looking at other ways of storing the PIN, [but] we have nothing to announce today,” says the Google spokesperson.
Rubin says Zvelo uncovered both flaws late last year. It desisted from publicizing the prepaid problem to give Google a chance to devise a solution. But a blogger calling himself “SmartphoneChamp” learned about it and posted a description on the heels of a post by Rubin on Zvelo’s site outlining the PIN vulnerability. Zvelo went public with this issue once it became apparent the solution “was out of Google’s hands,” says Rubin, referring to the need to move the wallet PIN into the secure element.
Publicity about a pair of security flaws in what is so far the only commercially available mobile wallet that works with near-field communication technology (NFC) swirled through the weekend and into this week, raising questions about Google’s engineering and, more broadly, about the nascent business of digital wallets. But experts contacted by Digital Transactions News argue there is unlikely to be lasting damage to the Google product. “Consumers have short memories,” says Rick Oglesby, a senior analyst at Aite Group LLC, a Boston-based payments-research firm.
Nor are financial institutions looking to partner with a wallet provider likely to be much swayed by the security issues, says Avivah Litan, technology and security analyst at Gartner Inc., Boston “It’s not good news for [Google], but banks are more concerned about revenue generation,” she says.
Consumer adoption of Google Wallet is hard to pinpoint, since the online search giant refuses to release any numbers, but it’s not likely to very high, Litan says. The product was introduced in May and became commercially available in September, offering both contactless payments and discounts and other offers at the point of sale. The payments function works at any store that accepts contactless cards. So far, Citigroup Inc.’s Citibank unit is the only bank that is known to support the wallet, allowing customers to store a Citi credit card in the product. Google also offers a proprietary prepaid account, and funded the first $10 in each newly opened account until the end of the year as a promotional effort.
The Citi account is unaffected by the flaw that allows access to the prepaid account, experts say, since the PIN involved is linked only to that account. In this vulnerability, anyone in possession of the phone could open the settings menu, delete all settings, and then enter a new PIN. Once set, this new PIN could be used to open the prepaid account. Experts point out that, while this is a simple hack, users can easily protect against it by setting a screen-lock password to guard access to their phone. The much more complicated PIN vulnerability requires a hacker to gain access to the phone’s operating system at the root level—a process known as rooting—and then use this access to make the phone generate the wallet PIN.
While this is a potentially dangerous hack, Google argues that rooting a phone wipes out the data stored on the device, including the PIN, rendering the process fruitless for any criminal. Outside experts like Rubin and Hoog agree, but point out this is true only in a narrow sense. Users who perform a process called unlocking the bootloader, a way of rooting the phone to run customized features, will wipe out the device’s data. But other methods may remain that don’t erase data. Rubin says at least one method he’s tested, called the privilege escalation vulnerability, delivers root access “without anything being wiped whatsoever.” He was set to publish a paper on the matter late Tuesday.
Despite all the publicity, Rubin and others point out the importance of keeping things in perspective. “Even in its present state, Google Wallet is safer than the credit card you carry around with you,” he notes.
