With over 5 billion mobile phone connections worldwide, mobile transaction capability is at the vanguard of the internet commerce evolution. Mobile payment processing was innovated in 1997 in Finland via SMS, but has since then become more sophisticated with the development and mass-distribution of mobile smart phones. With the advent of smart phone technology came the mobile payment app–and it is in the mobile app that company’s like Google is putting engineering expertise in order to enable mobile payment processing for those shopping through the aisles of the bricks-and-mortar world. Instead of flipping out a 1950s style cowhide billfold, the “Google Wallet” allows consumers to “tap and pay” with their mobile smart phones.
According to the Google Wallet’s webpage, this free NFC enabled mobile app., compatible for Nexus S 4G users, will come with a number of security features. Primary security features revolve around the Secure Element Chip, which “is isolated from your phone’s main operating system and hardware. Only authorized programs like Google Wallet can access the Secure Element to initiate a transaction. Additionally, because Google Wallet enforces a PIN, the only way to transmit payment credentials is if you first enter the PIN. ”
Most consumers would probably load and fire with this new guy before ever questioning its safety. While the majority blindly trust Google to “don’t be evil,” the security experts are wondering whether this app. is a sitting duck–not because the Element Chip’s engineering is inherently inferior or vulnerable, but because Android apps are easy to clone.
Jimmy Shah, mobile security researcher at McAfee, wrote in his 5/27/11 blog, Looking Into Google Wallet’s Security Setup, “Android apps are relatively easy to reverse-engineer, so that would probably be the first step an attacker would take. Google says that only authorized apps will have access to the “secure element” chip, and the chip uses asymmetric encryption to authenticate access to stored secrets (credit card credentials). This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app. The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.”
But it isn’t just Google that is lagging behind in the mobile payment security field–this 3/31/11 Internet Retailer article, Mobile Payment Applications Need a Second Security Check, PCI Says, highlights the fact that the PCI Council has taken several mobile payment software applications off its approved applications list, citing the need to re-evaluate mobile payment software to ensure that it adequately secures payment card data.
What does this all mean? Well, if you know what happens to sitting ducks, and you go out in the water with them, then chances are you’ll absorb some collateral damage. Wait until Google and the rest of them fly high above hacker range before taking any chances.