How secure is your wallet in Google's hands? (FAQ)

Financial data is stored in a "Secure Element," but a security expert wonders if malware can't just break the lock on it.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
6 min read

Google unveiled its Google Wallet mobile payment plans today, with private field trials starting in San Francisco and New York followed by a public launch sometime during the summer on the Nexus S. The system lets smartphones with NFC (near-field communication) chips use wireless technology to transmit transaction data to special NFC readers at retail stores at very close range.

This means people will eventually be able to wave their Android phones in front of a reader instead of swiping a credit or debit card or using cash. These "electronic wallets" will be a boon for consumer convenience, letting people leave their money and credit cards at home. But how secure will this method be?

This FAQ can help you decide if you feel comfortable trusting Google Wallet with your financial data.

How does this work exactly?
Your payment card numbers and transaction information are all encrypted and stored on a tamper-proof chip from NXP Semiconductor on the smartphone, in what Google has dubbed the "Secure Element." Customers are required to type in a PIN to open the Google Wallet app and make a transaction.

"Think of the Secure Element as a separate computer, capable of running programs and storing data. The Secure Element is separate from your Android phone's memory. The chip is designed to only allow trusted programs on the Secure Element itself to access the payment credentials stored therein," Google says on its Google Wallet Web site. "The secure encryption technology of MasterCard PayPass protects your payment card credentials as they are transferred from the phone to the contactless reader."

What if I forget my PIN?
"Today, for security reasons, this requires the user to reset the Wallet and reprovision the credit cards," Osama Bedier, vice president of Payments at Google, said in an e-mail response to questions. "We are actively designing a more user friendly reset mechanism, and we will reveal more about this feature once it is ready."

What if I lose my smartphone?
If you've locked your phone, then someone would need to know your PIN to access the phone, as well as know the PIN for Google Wallet specifically in order to access your financial data.

"The Wallet PIN protects access to the Wallet Application itself," Bedier said. "If a user enters the PIN incorrectly too many times, the Secure Element is disabled and cannot be used for payment until it has been reset by a combination of the issuing bank, the Trusted Service Manager, and the user. Resetting the PIN requires the user to reprovision their credit cards to the Wallet, thereby forcing a would-be thief to provision all the card credentials from scratch. In addition to this, the Secure Element prevents an individual from reading any information directly from it. There are multiple security components to its design that make it difficult for any criminal to extract the data contained within its memory."

Could criminals create fake NFC reader interfaces like they do ATM skimmers?
"There is always the possibility that a criminal might attempt to skim an NFC payment card or mobile device," Bedier said. "However, the Google Wallet has two additional countermeasures against skimming that traditional plastic NFC payment cards do not have. The first is the phone screen needs to be powered on, i.e., illuminated, before the NFC antenna is enabled. The second is the user must enter their Wallet PIN before any credentials are released to a reader. This means the user has to clearly demonstrate the intent that they want to pay, before any payment credentials are released."

Related links
Google unveils mobile payments, coupon service
Mobile payments: Can Google put all the pieces together?
Google Wallet, Offers make debut (live-blog transcript)
PayPal lawsuit alleges Google stole trade secrets

"In addition to the security features in Google Wallet, our partners have fraud analytics that help to identify fraudulent transactions and block such transactions as they occur," Bedier added. "Google Wallet and our partner systems combined provide much better protection for the consumer over the standard plastic credit cards broadly available in the market today."

Is there the possibility for sniffing or man-in-the-middle attacks like there is with Wi-Fi networks?
This type of attack would be much harder to do given how quickly the transaction takes place and how small the distance needs to be between the device and the reader (4 centimeters or closer).

"A typical man-in-the-middle attack is difficult because of the limited range of the NFC radio frequency," Bedier said. "We also have the added protection of the Mastercard PayPass protocol while card credentials are being transmitted. This interaction is controlled by the PayPass protocol. Of course, we are consistently reviewing the security of the entire Wallet software ecosystem and are actively improving the security of the Google Wallet all the time."

What if I accidentally download a Trojan horse or other piece of malware on my smartphone via the Web or a malicious attachment that is written to steal credit card data and hijack transactions?
"If malware compromises the phone's operating system, the Secure Element is designed to protect the credentials," Bedier said. "The Secure Element's OS and the data contained in the Secure Element are completely isolated from the phone's OS. Indeed, the Secure Element hardware is separate from the other storage mechanisms on the phone. Further, the phone's OS does not have the capability to read any data from the Secure Element."

One security expert wasn't convinced that the Secure Element could protect against malware that sneaks onto the device.

"The fact that your credit card information is stored on a secure chip doesn't matter that much because if the bad guys can take over the phone, they can control the Google App," said Chris Palmer, technology director at the Electronic Frontier Foundation who formerly worked on Android security as a senior software engineer at Google. "They can wait for it to be launched and grab your credentials."

An NXP spokeswoman said the Secure Element is impenetrable by malware. "The Secure Element requires authenticated access rights--the architecture is set up such that the Secure Element is firewalled off from the rest of the system," she said in an e-mail statement. "The technology is similar to that used in high-security solutions/applications such as ePassports."

This seems to be the biggest concern, at least for now, particularly given that people can be so easily tricked into clicking on a malicious link or opening a malicious attachment that can unleash malware onto the device and take it over.

The malware problem is compounded by the fact that so many devices are not running the most up-to-date software. For example, researchers discovered a hole in Android related to Google Calendar and Contacts earlier this month that made the data snoopable on Wi-Fi networks. It affected 99.7 percent of the Android devices that were running older versions of the software that had not been fixed. Google quickly pushed out a fix, but the problem highlighted the fact that mobile users (and computer users) are at the mercy of software updates and patch schedules for their security.

"There are tons of phones that don't have the latest security patches," Palmer said. "We're going to have a situation where a lot of people are running Google Wallet on machines we know are blatantly not safe and don't have up-to-date patches."

As people rely on their mobile devices more, criminals will turn their attention to those devices, and already are. Researchers have found a botnet program on an HTC Android from Vodafone and samples of the Zeus banking Trojan that targeted Symbian.

But Google Wallet will still be safer than the wallet in my purse or back pocket, right?
Nimble-fingered pick pockets nab wallets from people all the time, spending the cash and using the credit card at retail shops that don't ask for identification. And unsavory personnel at stores online or off can easily use your credit card number before you even suspect anything is amiss. So, yes, your data locked behind PINs and encrypted on your phone is safer than in your wallet at this point.

"The potential benefits far outweigh the risks," even if you have to pay more attention to securing the data stored on your phone, said John Hering, chief executive of mobile security firm Lookout.