Google Wallet Hack Shows NFC Payments Still Aren’t Secure

  • Share
  • Read Later
Shannon Stapleton / Reuters

You probably won’t see the Wallet Cracker app in the Android Market anytime soon. That’s not because it doesn’t work; it actually works perfectly, which is the problem.

In a video posted by security firm Zvelo, the program exposes the pin number of a Google Wallet account within seconds. This is disappointing because near-field communication (NFC) payment systems, of which Google Wallet is the most visible, are at a critical juncture.

(MORE: How the New ‘Google Wallet’ Mobile Payment System Works)

The technology to institute widespread contact-less payments exists today. One of the factors holding it back—the lack of coordination between banks, mobile carriers and software companies like Google—will resolve itself over time.

So what is the biggest obstacle to a wallet-free world? Fear.

People want to know that if they lose their smartphone, they won’t be losing the virtual equivalent of their credit cards as well. Of course, credit cards aren’t that safe either: A few months ago, thieves used skimmers in 24 Lucky Supermarket locations in the Bay Area to steal data from more than 500 customers.

Still, if a credit card is an imperfect product, at least it’s an imperfect product people are used to. New technology always has a much smaller margin of error when it comes to winning the public’s trust.

The hacked phone in question had also been rooted, meaning its owner had unlocked administrator-level access — something most regular consumers wouldn’t bother with. Unfortunately, as Zvelo points out, Google Wallet comes only on a flagship phone on a single carrier (Samsung’s Nexus S 4G on Sprint), which is exactly the kind of phone that is likely to be rooted by tech-savvy early adopters.

The biggest problem when it comes to security is that we know very little about NFC threats. Google Wallet is fairly new and its biggest competitor, ISIS, a joint venture between AT&T, T-Mobile and Verizon, isn’t even available to the public yet. This creates a chicken-or-the-egg scenario when it comes to researching potential threats.

(MORE: Looking Forward to 2012: The Continued Demise of Cash)

“Is there a lot of testing right now? I’d say no,” said Ted Eull, vice president of technology services at viaForensics, a digital forensics and security firm. The problem, he says, is that there just isn’t much consumer demand for NFC testing right now, meaning that the only people who have the funds to do it are university researchers and the companies who actually design the software.

“We will undertake more testing, but we’ll have to acquire new equipment related to NFC, there is basic R&D to be done, and the manufacturers and providers don’t share a lot of information with us so we have to reverse engineer a lot of what they develop. That takes a lot of time,” said Eull.

Security firms won’t research NFC threats because it’s expensive and there isn’t much consumer demand for it. Consumers won’t create that demand until they know that NFC payments are safe, which requires more research by security firms.

A bit of a sticky wicket, to be sure, but I sincerely believe that eventually there will be enough momentum to get security firms and consumers behind NFC payments. After all, as Eull pointed out, credit cards’ only line of defense is a signature nobody looks at.

“I wouldn’t characterize using Google Wallet as riskier than using a credit card,” he said. That’s all the endorsement NFC payments might need to one day take off.

(MORE: The End Of Cash)