Jaime Blasco, head of labs with AlienVault, creators of OSSIM, the de facto standard open source SIEM (Security Information and Event Management) company, said that Google Wallet is recently launched system of storing credit, debit and loyalty card data in the Google cloud, and then using the smartphone as an authentication device whilst out and about.
“Google Wallet will really come in to its own this summer during the Olympics as MasterCard and Visa ramp up their PayPass and PayWave NFC payment systems, which allow payments of under £10.00 to be completed with a wave of the card – or NFC-enabled mobile – in the same way that TfL’s Oyster card works,” he said.
“Google Wallet protects access to the smartphone app using a PIN protection system, but it appears that researchers have developed a method of cracking the PIN that can be used by cybercriminals to perform fraud by using a brute force attack on the Android device. So far, the fraud only works on rooted devices, but a crack for all Android smartphones is in development,” he added.
The AlienVault threat specialist went on to say that this is particularly worrying, as if an attacker is able to use an exploit to compromise the system in this way, then it follows that they will be able to eventually access – and brute force attack - all of the data held on the smartphone.
The cracking of Google Wallet, he says, is the direct result of the potential security of the payment card process being sacrificed for the sake of convenience.
And, he explained, the weak link in the security chain is the storing of the Google Wallet PIN – effectively the keys to the owner’s credit and debit cards – on the smartphone itself, rather than in the cloud.
Since Google Wallet is a hybrid on-device/cloud data storage system, it would have made more sense to store the user’s PIN in the cloud, meaning that a brute force cracker attack of this type would be a lot more difficult, if not impossible.
More than anything, he says, whilst we are likely to see more and more `convenient payment’ systems like Google Wallet appearing on the increasingly ubiquitous smartphone platform, potential users need to stop and think whether they are taking too much of a risk with their credit and debit card credentials.
And, he adds, what many cardholders probably do not know is that the terms and conditions of most payment cards require that the account holder take reasonable steps to protect their card details, in return for financial protection against card fraud.
Against this backdrop, Blasco argues that storing your card details on the Google Wallet system – regardless of these latest PIN security issues – may compromise your card issuer’s security requirements.
“Put simply, cardholders may find that, if their account is drained of money by cybercriminals, they have no comeback against their bank or financial institution. Having said that, Google Wallet is a highly convenient means of storing credit and debit card data, but the arrival of a crack for the PIN protection system is a potentially serious security problem for users,” he said.
“Longer term – if as seems likely - Android devices are increasingly used to perform payments then the platform will targeted even more than it is today by cybercriminals, who will be hell-bent on developing zero-day and similar attack methodologies in order to monetise their frauds,” he added.
“As with the PayPass and PayWave systems `wave-to-pay’ systems generally, users can choose how they wish to balance convenience against security, but I know which way I will be voting after hearing about this Google Wallet PIN crack.”