Google has taken great pains to secure its Google Wallet mobile payment service, employing a secure NFC chip to store credit card information. Security experts discuss ways malicious apps might attack Wallet.Google Wallet, the search engine's efforts to enable mobile payments using near-field communication technology from smartphones, has a number of challenges it must overcome to succeed.
One is obviously the general lack of interest in mobile payments via smartphones at a time when the vast majority of people happily use wallets. The second-biggest barrier to wholesale adoption may be consumers' concern about the security Google Wallet provides for their credit card information.
So how does Google promise to protect sensitive user data? Believe it or not, the key is an NXP PN65K chip in the Samsung Nexus S 4G smartphone (the only Google Wallet-enabling phone to date).
This "Secure Element," which stores users' credit card digits, is isolated from the phone's operating system and hardware and uses cryptography (PKI [Public Key Infrastructure] and Triple-DES [Data Encryption Standard]) and memory protection, making it tough to crack.
Only authorized programs like Google Wallet can access the Secure Element to trigger a transaction. Moreover, Google Wallet cannot read or write data from the Secure Element's memory.
Google Wallet also requires a 4-digit PIN, which is the only way to transmit payment credentials. That's not something even today's credit cards require to process. This step also prevents bad guys from brushing by you in a crowd to grab your info via NFC, noted McAfee security researcher Jimmy Shah.
As for whether any malicious application could access a user's credit card on the Secure Element, Google assures that Android enforces strict access policies so that malicious applications wouldn't have access to data stored by Google Wallet.
However, Shah thinks Android might be the best entry point for a perpetrator because Android applications are relatively easy to reverse-engineer.
He believes an attacker has a good chance of extracting the authentication key from the Google Wallet application and creating a malicious application that emulates the official Wallet application to fool the Secure Element chip into giving up a user's credentials.
One is obviously the general lack of interest in mobile payments via smartphones at a time when the vast majority of people happily use wallets. The second-biggest barrier to wholesale adoption may be consumers' concern about the security Google Wallet provides for their credit card information.
So how does Google promise to protect sensitive user data? Believe it or not, the key is an NXP PN65K chip in the Samsung Nexus S 4G smartphone (the only Google Wallet-enabling phone to date).
This "Secure Element," which stores users' credit card digits, is isolated from the phone's operating system and hardware and uses cryptography (PKI [Public Key Infrastructure] and Triple-DES [Data Encryption Standard]) and memory protection, making it tough to crack.
Only authorized programs like Google Wallet can access the Secure Element to trigger a transaction. Moreover, Google Wallet cannot read or write data from the Secure Element's memory.
Google Wallet also requires a 4-digit PIN, which is the only way to transmit payment credentials. That's not something even today's credit cards require to process. This step also prevents bad guys from brushing by you in a crowd to grab your info via NFC, noted McAfee security researcher Jimmy Shah.
As for whether any malicious application could access a user's credit card on the Secure Element, Google assures that Android enforces strict access policies so that malicious applications wouldn't have access to data stored by Google Wallet.
However, Shah thinks Android might be the best entry point for a perpetrator because Android applications are relatively easy to reverse-engineer.
He believes an attacker has a good chance of extracting the authentication key from the Google Wallet application and creating a malicious application that emulates the official Wallet application to fool the Secure Element chip into giving up a user's credentials.