As regular readers of this blog know very well, we love the concept behind Google Wallet here at UniBul Merchant Services. We believe that every digital wallet, just like its physical counterpart, should allow its users to store in it all types of payment methods they may want, including bank cards issued by different banks and bearing different brand logos. And Google is offering precisely that.
However, data security is even more important than convenience and user-friendliness. In fact, your service should not be made available to consumers until your system can be guaranteed to protect your customers’ personal information. And that apparently is not the case with Google Wallet.
How to Crack Google Wallet in Seconds
The good people at Zvelo have done a lot of work evaluating Google Wallet’s security credentials and have found them wanting. They have built an app that can enable anyone to retrieve your Google Wallet PIN, if they can get their hands on your phone. They have even posted this video to show you how quickly and painlessly this is done:
Now, this Zvelo app may not be made available for download on the Android Market anytime soon, but the bad news is that it is apparently incredibly simple for anyone with a relatively modest amount of technical skills to replicate it. There is a lot of technical jargon in Zvelo’s explanation of the hack, but here is the gist of it:
The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time.
Google Wallet allows only five invalid PIN entry attempts before locking the user out. With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system.
There it is, hacking Google Wallet is “trivial.”
Who Should Be Responsible for Keeping Your PIN Secure?
The Zvelo guys tell us that they immediately contacted Google, alerting them of the vulnerability they uncovered and the search giant “was extremely responsive to the issue, but ran into several obstacles preventing them from releasing the fixed app.” Then we are walked through the obstacle course, which I will spare you, but the interesting part comes at the end of it.
It turns out that when the Google engineers did find a fix for the vulnerability, they promptly ran into another issue, one for which there was no technical solution. “[W]ith the proper fix in place, the PIN will be nearly impossible to crack,” the Zvelo guys assure us, however, the securing of the user’s PIN may “constitute a “change of agency” responsible for keeping the PIN secure.” So not Google, but the card issuer would be the responsible party.
We don’t yet know whether the banks would agree to this “change of agency” thing, but my guess is that they would accept it. There is no doubt in my mind that eventually the NFC technology that is behind Google Wallet will be every bit as secure as any other payment technology, so the banks’ liability will decrease greatly over time. Moreover, being the party responsible for the security of the users’ data will put the issuers in a much better bargaining position when negotiating the terms of their partnership with Google.
Google Wallet has been in the news, and on the pages of this blog, for so long now that you may be forgiven for thinking that you may be the only one not using it. Well, you may take comfort in the knowledge that the exact opposite is actually true: there are very few Google Wallet users at present. Moreover, there are only two phones on the market today which support it: Google’s own Nexus S and Galaxy Nexus.
So, if there was ever a good time to be uncovering security shortcomings in the service, it would surely be now. Yet, I don’t think it is too much to expect that hacking the current wallet version would not be a “trivial” exercise. I almost get the sense that Google doesn’t care about understand the importance of protecting its customers’ personal information. I can only hope to be proved wrong.
Image credit: The Google Blog.