Mobile WorkHorse

By Al Sacco
About this Blog:

Al Sacco writes about (and drools over) anything and everything mobile or wireless as it applies to the global workforce--with a focus on BlackBerry smartphones

| See Al's Posts
Al Sacco

Android Security Woes: Google Wallet Threat Bad News for NFC Payments

New Google Wallet for Android security threats raise questions about the viability and public-willingness to adopt NFC mobile payments services, even though such services actually have the potential to improve payment security, says CIO.com's Al Sacco.

Posted February 10, 2012 to Mobile security |
. What's this?

It's been a bad week for Google's Near Field Communications (NFC) based mobile payments service, Google Wallet, and NFC payments in general.

The latest major Android security scare involves Google Wallet, and it's a serious one. It comes at a time when Google is trying to convince Android owners to feel comfortable with using Google Wallet and their NFC-compatible smartphones to pay for goods and service, instead of using their good ol' credit or debit cards.

Google first unveiled Google Wallet last May, but the service didn't launch until September, and it's only officially available on one Android handset and one U.S. wireless carrier, the high-end Samsung Galaxy Nexus from Sprint, though the service is expected to make it to a wide array of Android devices in the near future.

Earlier this week, security representatives from zvelo posted a blog entry detailing a "brute force attack" that provides them with access to Google Wallet users' security PINs, assuming those users have "rooted" or "jailbroken" devices. And access to the Google Wallet PINs gives the exploiters access to any stored payment card information. (See video above)

This exploit was bad enough, since it clearly demonstrated the potential to compromise Google Wallet users' personal information; however, it did require users to root their devices and apparently did not affect Galaxy Nexus users who chose not root their handheld. In other words, the security threat was a real one, but smartphones users were as much to blame for the vulnerability as Google, since the users would have had to choose to root their devices.

But a few days later, another similar exploit was announced that also grants access to Google Wallet PINs, and does not require root access. (See video below.)

From TheSmartPhoneChamp.com:

"All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app.  After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it.  The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device.  In other words, they’d be able to add your card and have full access to your funds."

Yikes. That can't be good for Google's efforts to convince users that Google Wallet and NFC-based mobile payments are safe and secure. It sure makes me wary to jump on the NFC payments bandwagon, but it is worth noting that NFC does have the potential to actually be much more secure than credit cards, since those plastic cards really don't offer any type of security until owners report them stolen or credit card companies flag accounts for suspicious behavior.

However, that might not matter if the general public gets spooked by high-profile security breaches like this one, and NFC payments never get a chance to prove their worth.

All of this brings to mind my number one smartphone security rule, which I've repeatedly stressed in security tips stories for all major mobile platforms: Always (ALWAYS) lock your device with a password. If you don't, you're simply asking for trouble. If your Galaxy Nexus phone is password protected when it is lost or stolen, this latest Google Wallet exploit wouldn't likely affect you anyway, even if your handheld was rooted, since nobody would be able to gain access to applications without first unlocking your device.

AS

TheSmartphoneChamp.com via BGR

Print
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?

Browse CIO Blogs

See all CIO Blogs »

White Papers »
IT Management in the Cloud
Cloud computing has emerged as one of the most significant game changers to hit the technology landscape in the past 20 years. With this massive expansion of the cloud, the perception of the IT organization is shifting from a utility player to a change agent. This eBook breaks down five ways progressive organizations are using cloud-based IT Management solutions to help drive innovation and become more strategic, including: adding visibility and analytics, speeding up time-to-value, lowering costs, improving prioritization, and providing a blueprint for future cloud deployments.
Citigroup Transforms Application Development with an IBM Cloud Solution
Read the white paper to see how IBM helped Citigroup deliver new services and enhancements to their 200 million customers faster.
Extending the Value of Legacy Applications
There are 3 ways to modernize legacy applications: rewrite completely, acquire packaged solutions or migrate existing code. This paper explains why it's best to migrate and how IBM® Rational® software can help.
The Hybrid Computing Proposition
Accommodating specific lines of business can result in a hybrid ecosystem of applications and servers. The resulting complexity of this architecture makes for an environment that is costly to maintain and difficult to change when addressing new challenges.
Picking a Sensible Mobile Password Policy
This whitepaper will help you to define a mobile device passcode policy. Security managers must attempt to reconcile two opposing goals. They must: 1) create a passcode policy that is strong enough to protect the device if it is lost or stolen, while: 2) not annoying users with needless length or complexity.
Why You Should Consider Cloud-Based Email Archiving
This whitepaper, authored by The Radicati Group, looks at the key reasons organizations should consider moving to a cloud-based archiving solution. Email archiving solutions enable organizations to store, monitor, and collect electronic data exchanged by their users to comply with internal policies and regulations.
Webcasts »
Does Your IT Initiative Require Real End User Experience Monitoring?
ATERNITY will showcase a 30-minute demo on how Fortune 500 companies are leveraging its award-winning FPI Platform to deliver a user-centric approach to Proactive IT Management.
IPv6 is Coming...Are you Ready?
For businesses to move forward and tap into the ever-expanding universe of Internet users and network-enabled devices, it's critical to learn how to make the transition to IPv6. Learn the critical steps your organization must take to make a seamless transition-and keep your business world connected.
Spear Phishing and the Modern Cyber Attack
Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks.
The Business Case for Migrating to Red Hat Enterprise Linux
Learn how to build a solid business case for your migration to Red Hat Enterprise Linux so you can run leaner, innovate faster, be more flexible and own the New Now.
Social Media: The Impact on the Multichannel Contact Center and Your Customers
Social media isn't about you; it's about everything around you. As you consider how your customers want to communicate with you, social media is something that can't be ignored. But what should your strategy be? Is social media "just another channel?" What kind of a plan makes sense for your contact center and for your customers? Join our experts as they share their insight and research results.
Advanced Authentication Methods: Software vs Hardware
Hardware tokens were a popular method of strong authentication in past years but the cumbersome provisioning and distribution tasks, high support requirements and replacement costs have limited their growth. The additional log-in steps that hardware tokens require and the resulting user frustrations have limited adoption and make them impractical for larger scale partner and customer applications.

Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy