Google’s NFC service will be thoroughly vetted for vulnerabilities, access for cybercriminals. Cloning may be possible.
The Google Wallet service, announced this week uses the PayPass credit or debit system by Mastercard. For now the new payment system only works with Google’s Nexus S smartphone, but Google reportedly will sell kits so other Android devices could support the technology. In order to work, merchants must support Mastercard PayPass, a service which has gained acceptance with the payment card data security standards (PCI-DSS). Supported devices must also run Google’s payment app to complete transactions.
Google has set up a FAQ on Google Wallet security and privacy for merchants considering supporting the service. Google said it has designed “multiple elements” at the hardware level into its service to help prevent snooping or tampering.
According to Google, credit card credentials are stored using hardware-based encryption. The app itself is sandboxed. Sandboxing isolates the app from other processes to make it more difficult for cybercriminals to leverage device or other application vulnerabilities to gain access to the sensitive data.
Jimmy Shah, a mobile security researcher at McAfee wrote that up until now, researchers have focused on “ghost and leech attacks” as a threat to NFC technology.
“You’re more likely to be hit by a crook brushing by you with an RFID reader to steal or transmit your credentials to a fake RFID card,” Shah wrote.
The good news is that Google has introduced a third layer of protection, a PIN number, to initiate a tap-and-pay transaction. Google Wallet data won’t be transmitted without the user inputting the PIN. Shah said the step prevents anyone from stealing usable NFC data via a reader.
Researchers will have to wait for Google Wallet to reach consumers before it can be fully vetted, he said. No doubt, Google has put it through various tests to ensure device configuration errors and other issues don’t expose it to attacks.
The Google Wallet app has not yet been widely released, so it’s difficult to properly identify possible weaknesses. Once it’s available on more phones, we’re bound to see more research from both the criminal element and legitimate security researchers.
Reverse engineering, cloning may be possible
The Google Wallet app will likely be reverse engineered by cybercriminals, Shah said. It’s a feat that is not too difficult today with the availability of free tools on the Internet. A possible hole, according to Shah is its secure chip, which uses asymmetric encryption to authenticate access to the data. “This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app,” he said.
The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.
It’s a safe bet that the PCI Council (and Mastercard) will be watching developments closely. The council said earlier this year that its new mobile payment task force would review NFC payment systems and other mobile payment technologies.
“We’re trying to dissect the mobile area now because there are just so many unknowns out there and so many different devices that don’t have any security we can see,” said the Council’s General Manager Bob Russo in an interview with SearchSecurity.com back in March.
SmartCard Alliance on NFC payment systems
The SmartCard Alliance, a non-profit organization backed by a number of technology companies pushing mobile payment systems, issued a video last month addressing NFC payment systems. The Alliance is supporting “chipless pin.” (Chipless is seen as cheaper, though the rest of the world is moving toward chip and PIN.) The video is an interview with payment systems consultant Steve Mott. He said everyone has a stake in providing services and technology to the “mobile ecosystem.” New NFC infrastructure could ultimately do away with the old mag stripe, physical card payment system.
“It’s clearly outlived its usefulness,” Mott said of current credit card payment systems in the interview.
“It’s too costly, it’s too fraud prone, it creates ungodly expenses like PCI compliance. We’ve spent enough in the United States on PCI compliance since 2004 to implement EMV chipless PIN three times over.”