“In order to address the security glitches present on the phone,” blogged Jose Diaz, director of technical and strategic business development at Thales e-Security on Wednesday, “Google changed its approach from having the wallet on the phone to effectively having the wallet in its servers (or the cloud). This moves the security issues associated with the user’s card to a more secure environment, Google’s servers, rather than trying to secure it on the mobile device itself.”
Many users still distrust the cloud – however, passing responsibility to Google and its servers rather than retaining responsibility for security on the phone, has its attractions. It also has the advantage, says Diaz, of being ‘consumer-centric’. Users can include their own financial card information rather than “having interested parties such as banks, mobile network operators, etc. in control.” The actual payment is made via a virtual MasterCard prepaid card, although the user doesn’t have to have a MasterCard registered on the Wallet system.
But, adds Diaz, “The same authentication issues are present in order to ensure it is the approved user enabling the payment vs. someone else using your phone and hacking the PIN; the original problem.” A few months back, security researcher Joshua Rubin demonstrated how easy it is to hack Android’s PIN on a rooted device. Google’s response was that it does not support Wallet on rooted Androids, but since Rubin further demonstrated that it is easy to root a stolen phone, the issue remains.
The problem of stolen phones is partly addressed by the new cloud system since the virtual card can be easily and remotely disabled, leaving the real card details protected by Google’s servers. “The market will decide if it is workable or not,” concluded Diaz.
However Alan Goode, founder and MD of mobile security specialists Goode Intelligence told Infosecurity, “I am also slightly uneasy at the back-end solution being hosted on Google’s servers. Google is not a bank and I would question whether the security is as strong (we have had previous issues with security surrounding Gmail) as that of traditional financial institutions. Time will tell, as Jose Diaz blogger states – but I am expecting this solution to be thoroughly ‘tested’ by security researchers over the coming months.”