Mobile Payment Gives Rise to Digital Pickpocket

by Matt Klassen on February 13, 2012

Google Wallet was supposed to make things easier…but easier for us, not the pickpockets. As Google continues its rollout of its mobile payment platform, hoping to become the ubiquitous choice of the digital wallet revolution, the search engine giant was hit with the news that several flaws exist in the platform that could potentially allow cyber-pickpockets to make off with your cash.

Apparently no more serious than actually losing your wallet, security researchers have discovered two different vulnerabilities with the Android mobile payment platform that could allow hackers to gain control of vital payment information—one that works only on rooted (jailbroken) phones and the other on any phone that runs the payment application. Although analysts are torn over the extent of the threat there’s no question that where the money goes, so too go the thieves.

While the level of actual risk remains in question, there’s no doubt that this entire thing is becoming a bit of a PR fiasco for Google, as the last thing a company looking to handle your money needs are whispers of security flaws, pickpockets, and loopholes.

The more I read about the continued evolution of Google Wallet and other mobile payment platforms the more I start to think that this isn’t really a mobile payment revolution at all, because revolutions involve actual change. More to the point, with talk of security vulnerabilities and cyber-pickpockets, it seems that mobile payment platforms, at this stage anyways, offer me nothing more than what my good ol’ leather wallet already gives me; same money, same security, same convenience.

The first Google Wallet vulnerability was discovered by security firm Zvelo over the weekend, finding that a rooted Android phone (similar to a jailbroken iPhone) is susceptible to a brute force attack, one that uses a hacker program to run all the 4-digit PIN variables until the right combination is found. While the hacker can’t steal the credit card information stored on the NFC chip itself, the hacker can make purchases using the credit card information.

While this vulnerability is certainly low-risk, requiring a rooted phone (which most Android users don’t have) another security risk was discovered this past weekend that, unfortunately, is “painfully easy to do,” requires no extra software, and works on any device running Google Wallet.

The problem with this more serious vulnerability stems from the fact that on a mobile payment platform one’s credit card data is tied to the device—instead of to the user’s card and thus to the user’s bank itself. If your phone is stolen a semi-competent hacker would be able to access your PIN numbers in the app itself, allowing the cyber-thief to change the PIN and access the funds on the card. Of course the credit card data itself remains secure, but that strikes me as cold comfort when the thief can still use the data to illegally purchase items.

While the latter security flaw is certainly serious, as mentioned its really no worse than actually losing your wallet, a problem that can be remedied by a quick call to one’s bank—or soon perhaps to Google—to cancel the card service. That means while these vulnerabilities are really of little consequence to the average Google Wallet user—and Google itself has promised a swift response—they do strike me as a PR nightmare for the search engine giant, just the kind of fear-mongering hacker talk that could derail its mobile payment rollout before its even left the station.

Did you like this post ? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Comments on this entry are closed.

Previous post:

Next post: