Digital Transactions Authoritative, insightful and timely information for payments professionals
Peter Lucas
Last year’s Google Wallet hack should have been a wakeup call, but security experts are still plenty nervous about wallets. What’s being done to shore up security?
When Google Inc.’s digital wallet was breached last February by security experts from not just one, but two, points of entry, the incident served as a poignant reminder to wallet providers they can never rest on their laurels when it comes to security.
Indeed, the lessons learned from the breach came at a good time for wallet providers. Theirs is a nascent technology that has yet to experience an all-out assault by hackers. At the time, Google Wallet was the only commercially available app based on near-field communication (NFC), technology that creates a link between a mobile device and a point-of-sale reader.
By learning its security weakness early in the game, wallet providers had a chance to retest, and if need be, reset their security standards and strategies before digital wallets become a mainstream payment technology and a prime target for criminals.
That will happen once transaction volume reaches appreciable levels, according to security experts. At that point, any breach is certain to create a public-relations nightmare for the wallet provider and give many consumers pause about using a digital wallet.
Consumers, after all, load a variety of personal information into their physical wallets that can be used by criminals to perpetrate fraud or steal their identity, for example, credit and debit cards, driver’s licenses and insurance cards. That same information is expected to find its way into digital wallets.
‘A Growing Concern’
What concerns security experts most about digital wallets is that criminals are laying the groundwork for malware attacks that can net a huge pool of potential victims at once. In other words, they won’t just target a handful at a time by stealing smart phones. For most consumers, the thought of a malware attack against their phone is the furthest thing from their mind as the attacks to date have been few and far between and not widely publicized.
Unsuspecting consumers can download malware by clicking on a link in a promotional text message or e-mail or downloading an app from a source other than the Android or Apple stores. Once a phone is infected with malware, all its apps are vulnerable to probes seeking out personal and transaction data that criminals can use to perpetrate fraud and steal a consumer’s identity.
It is also possible for malware to infect the smart phone with apps designed to crack a digital wallet’s PIN. Once in possession of the user’s PIN, criminals can gain access to, and control, the data in the wallet. Downloading such an app was one technique that Greenwood, Colo., security firm Zvelo Inc. used to break the PIN on the Google Wallet.
Other malware threats include so-called sniffer programs that record keystroke activity and can reveal PINs and passwords needed to validate a consumer to their digital wallet and initiate a transaction.
“The threat of malware attacks against smart phones is a growing concern and we are seeing more evidence of these types of attacks on the Android platform,” says Joshua Rubin, a senior software development engineer for Zvelo. “So far, the attacks have been relatively benign, but in time they will become more sophisticated and a greater threat to phone security, especially as digital wallets become more popular.”
While there are many competing wallets using either NFC or cloud-based platforms, it is in the software that powers the wallet where the technology is most vulnerable, according to security experts. By breaching a smart phone’s software, criminals can bypass the security elements built into the hardware itself that are intended to protect wallet data.
NFC-based wallets store information, including a consumer’s PIN, on a chip or secure element that is hardwired to the phone’s circuit board. Data passing to and from the secure element are encrypted, which creates a firewall. Other security features of the secure element include built-in commands that erase data in the wallet if the PIN is incorrectly entered too many times. The PIN is required to validate the user to the wallet.
By contrast, cloud-based wallets store information on a secure server protected by several security layers. No information is stored in the phone or on any of the phone’s apps.
The Root Problem
According to security experts, one of the weakest points of the digital wallet is the cache memory inside the application that launches the wallet. It is not uncommon for residual data coveted by criminals to remain in the cache after each transaction. Launching a malware attack against the cache can potentially provide criminals access to the information left in the wallet’s app, regardless of whether it is an NFC- or cloud-based wallet.
“If criminals can get to this data, they will exploit the opportunity, even if it is on a secure server in the cloud,” says Avivah Litan, a security analyst for Stamford, Conn.-based Gartner Inc. “After every transaction, any information in the cache needs to be cleaned out and deleted, but that is not always the case. Hopefully wallet providers will make this a habit.”
Zvelo first learned that Google Wallet could be breached on rooted smart phones. When a phone is rooted it becomes more vulnerable to hackers, because in their zeal to customize the phone, consumers end up bypassing the multiple layers of security built into the phone’s operating system. As part of the customization process, consumers will typically download apps from sources that have not vetted the app to ensure it is free of malware.
While a rooted phone creates a cool factor that end users can show off to friends, it opens the door for hackers to gain administrative control over the phone’s operating system via malware.
After rooting a Samsung Nexus 4G phone, the only phone at the time that supported Google Wallet, Zvelo discovered it could download malware designed to attack the wallet app. In this case the malware was a so-called PIN cracker app that ran all possible combinations of the four-digit PIN required to open the Google Wallet app. Once the Google Wallet is open, it can access the data stored in the secure element. Cracking the PIN took about a minute, according to Rubin.
“Google Wallet requires entry of a PIN into an app that unlocks the secure element. If hackers can get control of the app, they can find the PIN needed to validate the app to the secure element,” says Rubin. “Breaking the secure element itself requires a much more sophisticated attack, but wallet security should not be dependent on whether users root their phone.”
Next, security experts found that unrooted Samsung Nexus 4G phones could be breached through the phone’s application menu. A hacker could reset the PIN for Google Wallet by clearing the settings for the wallet within the phone’s settings menu. Google Wallet users were not required to enter their PIN to access the phone’s settings menu.
When Google Wallet was reset, users were prompted to enter a new PIN without being asked to enter the old PIN to verify their identity. Even if the user suspected a breach and reset his PIN, the hacker could go back and change it.
Google acknowledged both security holes after news of the breach went public and quickly announced a fix: the ability to remotely disable Google Wallet through the Google Wallet Web page. In a blog posting, Google touts remote disablement as something consumers can’t do with their leather wallet. Google did not make executives available for this story.
Isis, a consortium of wireless carriers Verizon Wireless, AT&T Mobility, and T-Mobile USA that supports an NFC-based wallet platform also did not respond to requests for an interview.
‘Juicy Targets’
While security experts agree the ability to remotely disable Google Wallet will help protect consumers, they are quick to point out that since the breach Google has appeared more interested in developing the cloud-based version of its wallet.
Cloud-based wallet providers argue that their platform is more secure than NFC wallets because they have baked in several layers of security and eliminated storage of account and personal data on the phone itself. Nevertheless, some security experts point out that if hackers can successfully breach databases of large credit card processors, which store their information in the cloud, they can breach cloud-based wallets too.
“While the cloud infrastructure allows for more creativity in developing and rolling out security solutions, companies that store a lot of credit card data in one place have historically been juicy targets for criminals that have shown they can be breached,” says Andrew Hoog, chief investigative officer for viaForensics LLC, a Chicago-based security firm that successfully broke Google Wallet’s security. “Digital wallets can be made secure, but it requires a lot of time, testing, and money.”
One wallet provider making that effort is Scottsdale, Ariz.-based Apriva LLC, which has a cloud-based wallet in addition to a mobile-payments app. Some of the features Apriva uses to secure its wallet include encrypting data traveling over the wireless network, deleting data at rest in the cache, authenticating apps and devices trying to access the wallet, and lengthening the time it takes to show a retry prompt after a failed PIN entry. The last tactic is intended to frustrate automated programs designed to decode the PIN. The wallet also limits the number of PIN entry attempts.
“A smart phone’s operating system is not necessarily designed to detect and fight attacks from hackers, so it should not be a point of trust for storing data,” says Apriva president Paul Coppinger. “The key is to create a secure ecosystem in which [merchants, banks, wallet users, and app developers] are known to each other and can be authenticated before access is granted to the wallet. We are very careful about verifying every point of connection to our wallet.”
Apriva has used viaForensics to test the security of some of its mobile apps.
Another security advantage of cloud-based wallet platforms is that providers can use their massive database to perform analytics that can generate alerts to deviations in consumer behavior. When a suspect transaction occurs, the wallet provider can contact the wallet owner to verify the legitimacy of the transaction. If the wallet owner does not respond promptly, completion of the transaction can be delayed until it is verified.
The GPS system within the phone can also be used to detect fraud. For example, if the actual mobile device on which the digital wallet resides is shown to be in Chicago and a device in Madrid is attempting to initiate a transaction through the wallet, a red flag is raised and the transaction halted until it can be verified by the wallet owner.
‘No Silver Bullet’
“There is no silver bullet to wallet security, it’s all about creating layers of fraud protection and communicating with the wallet owner,” says a spokesperson for San Jose, Calif.-based PayPal Inc., which uses both of the aforementioned techniques to secure its cloud-based wallet.
Tokenization can also be used to secure data within digital wallets and mobile payment apps. Boston-based LevelUp, for example, uses this technique to create a randomly generated QR code that can be scanned at the point of sale to initiate payment. After the QR code is generated, it maps to a token on LevelUp’s servers, which maps to yet another token stored and managed by Chicago-based Braintree Payment Solutions LLC, a registered independent sales organization for Wells Fargo Bank.
Once a QR code is decrypted, the transaction is charged to the wallet owner’s credit or debit card. Since the code is randomly generated, it contains no actual account data. Consumers can generate a new code any time they wish.
Cleveland-based SparkBase Inc. has added a twist to tokenization for its wallet, generating a new QR code for each transaction and immediately deleting used tokens from the wallet’s cache.
“There is always a risk that hackers will attack wallets in the cloud, because they are attacking processors, but there are a lot of proven security technologies being carried over from e-commerce that make digital wallets far more secure than a physical wallet,” says SparkBase president Geoff Hardman. “The digital-wallet industry is young, but security standards are being defined. Once consumers become aware of this, they will be more comfortable using the wallet.”
Getting Consumers To Lend a Helping Hand
While digital-wallet providers are the frontline defense against hackers, security experts point out consumers, too, should be enlisted in the fight against fraud. Getting consumers on board, however, requires educating them about securing their phone.
Steps consumers can take to enhance a phone’s security against unauthorized access include making sure updates to the operating system are installed. Knowing the risks of rooting their phone and downloading apps from unknown sources is also vital for consumers.
“Smart phones offer a much larger attack surface than personal computers and the more security layers put in place, the harder it becomes to attack them,” says Andrew Hoog, chief investigative officer for Chicago-based security firm viaForensics LLC.
The most logical party to take the lead in consumer education about digital-wallet security is the consumer’s bank. When it comes to security, consumers tend to place greater trust in banks than in wallet providers. “How many wallet providers are known to consumers and have a strong reputation for security?” asks Shirley Inscoe a senior analyst for Boston-based Aite Group LLC.
Despite this consumer trust and the potential new revenue stream digital wallets represent to banks, most financial institutions have a done a poor job of educating consumers about fraud prevention, let alone digital wallet security. A study authored by Inscoe last October entitled Global Consumers React to Rising Fraud: Beware Back of Wallet reveals that 43% of consumer respondents in the United States said they don’t recall receiving any anti-fraud information at all from their financial institution.
“Malware attacks on mobile devices may be in the early stages, but we are seeing more of them,” says Inscoe. “Financial Institutions have not yet taken the lead on educating consumers about what they can do to protect their digital wallets from potential fraud, even though consumers trust them when it comes to security. Consumer education is something banks should be doing.”
