Google has apparently taken great pains to secure its Google Wallet mobile payment service for Android, employing a secure near field communication (NFC) chip to store credit card information. Yet security experts suggest that the service is open to a variety of attack strategies from malicious apps.

Google Wallet, the search giant's effort to enable mobile payments using very short-range near field communication (NFC) technology embedded in smartphones, faces a number of challenges. These include the general lack of consumer interest in mobile payments via smartphones, as well as the level of security Google Wallet provides for credit card information. Some of the concerns over security may be justified, according to several analysts. 

Announced late in May, Google Wallet will launch this summer with the support of Citi, MasterCard, and First Data, letting users of Sprint's Android 2.3-based Samsung Nexus S 4G smartphone make payments at participating retailers via terminals fitted with NFC technology from VeriFone, Hypercom, Ingenico, VivoTech. The service will first be made available in New York City and San Francisco this summer.

Aside from the typical loyalty offers shoppers may accrue from using Wallet at these locations, Google is pairing Wallet with Google Offers, a Groupon-like local deals service. Consumers may scan coupons into their smartphones and sync them to Google Wallet for redemption at the same PayPass locations.

So how does Google promise to protect sensitive user data during these transactions? The key is NXP's PN65K chip embedded in Samsung Nexus S 4G, the only Google Wallet-enabling phone to date. This "Secure Element," which stores users' credit card digits, is isolated from the phone's operating system and hardware, says Google.

The PN65K uses PKI (Public Key Infrastructure) and Triple-DES (Data Encryption Standard) cryptography, as well as memory protection, making it tough to crack. Only authorized programs like Google Wallet can access the Secure Element to trigger a transaction.

Moreover, Google Wallet cannot read or write data from the Secure Element's memory. Google Wallet also requires a four-digit PIN, which is the only way to transmit payment credentials. That's not something even today's credit cards require to process. This step also prevents bad guys from brushing by you in a crowd to grab your info via NFC, according to McAfee security researcher Jimmy Shah.

Google assures that Android enforces strict access policies, prohibiting malicious applications from accessing a user's credit card on the Secure Element. However, Shah thinks Android might be the best entry point for a perpetrator because Android applications are relatively easy to reverse-engineer. He believes an attacker has a good chance of extracting the authentication key from the Google Wallet application and creating a malicious application that emulates the official Wallet application to fool the Secure Element chip into giving up a user's credentials.

"From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards," Shah wrote in a blog post.

Lookout Mobile Security CTO Kevin Mahaffey agrees with Shah that some sort of malicious application could be developed that might compromise the Google Wallet application or the provisioning process. Alternatively, an application could exploit the software in the Secure Element, enabling a hacker to grab credit card info, he noted.

Beware the "ghost-and-leech"

Mahaffey wonders whether the PIN will be here to stay or will go away if Wallet becomes widely adopted. If the PIN is abandoned, Mahaffey said a user could then be susceptible to a man-in-the-middle attack, or the ghost-and-leech attack Shah referenced. In this attack, a perpetrator can use an NFC reader to swipe consumers' credentials when they make a purchase via their phone. The main defense against this attack, Mahaffey noted, is the PIN.

ThreatMetrix Chief Products Officer Alisdair Faulkner told eWEEK that the fundamental challenge between the security of today's credit cards and Google Wallet is that Wallet exists in the same environment in which someone else's malicious application is able to get at that data.

"The analogy I would use is that I can put my credit card in my wallet, but my driver's license isn't going to try and communicate with it in any way," Faulkner told eWEEK. "Anywhere that you have stored value, that is going to be something that criminals are going to attack. Never before in history have we had this kind of financial data and credentials stored on a device, which we know fundamentally can never be trusted."

More questions about Google Wallet

Despite an impressive demonstration at its May 26 debut, and its solid lineup of backing, Google Wallet has drawn considerable skepticism from analysts, and not only about security.

Google Wallet on a Samsung Nexus S 4G (left) with PoS system

"The odds are stacked against any wide-ranging initiative like this," Current Analysis analyst Avi Greengart told eWEEK. While Greengart said he was impressed with Google Wallet, especially with its integration with Google Offers, he added, "All NFC initiatives face the chicken-and-egg problem: not enough NFC devices, not enough POS (point-of-sale) terminals that accept them."

Industry analyst Jack Gold, meanwhile, suggested that the service does not appear to fulfill a compelling need that is not already being met in various ways by other payment services.

"We consumers currently have so many different options, it's getting overwhelming," Gold told eWEEK. In the end, however, the project's success will hinge on security, as well as Google's reputation for trust. "I think the major issue consumers will need to overcome is trust," he added. "It's not so much about the technology as it is about who do I trust to be my credit authority. Is it Google? Is it the carrier?"

Finally, in an eWEEK analysis piece called "Google Wallet won`t succeed: 10 reasons why", Don Reisinger notes some other obstacles for Google. These include the challenge in persuading smartphone vendors to add an NFC chip to their devices that would add to cost and support issues with minimal prospects for use.

In addition, the lawsuit from eBat's PayPal over Google Wallet could prove troublesome, writes Reisinger. What's more, Google will likely have difficulty managing "the many different interests of all the stakeholders in the marketplace" including financial services firms, device makers, retailers, and consumers.

Clint Boulton is a writer for eWEEK.

---

This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.