What’s In Your Google Wallet? Hackers Can Find Out!

Google Wallet

Last week, web security firm zvelo disclosed that it applied a fairly simple brute-force attack to hack the PIN protection of Google Wallet, an application that stores payment card numbers and other sensitive data on your mobile phone.

To its credit, Google acknowledged zvelo’s discovery, and moved quickly to develop a fix. But the episode offers a cautionary tale to vendors who, in their rush to market, ignore the vital role that consumer trust plays in adoption of virtual wallet technology.

To be clear, I am cheering for the rapid deployment of any application that lets you use your device to make purchases. I want the technology to succeed. But that’s precisely why I feel virtual wallet applications should be backed by a secure foundation of hardware security.

The fallout from one highly publicized breach could poison consumer adoption and attitudes toward the technology for years. And, if I’ve learned anything in the last two decades, it’s that hiding credentials behind a wall of software is a breach waiting to happen.

In the case of Google Wallet, it appears the PIN number securing Google’s mobile phone payment system was managed and protected in software. This practice is a well-known weakness among security experts, as illustrated by the timeline of news coverage on this topic at SlashGear.

It turns out there are several downloadable applications that allow you to hack Google Wallet quickly and easily. And this discovery has led Google to turn off services formerly offered through its virtual wallet app, such as the use of pre-paid cards.

Such developments are unfortunate news to advocates of virtual wallet apps – and not just because of the damage to consumer confidence. The real disappointment is that such breaches are avoidable. Limiting virtual wallet applications isn’t the solution any more than continuing to put faith in software security is. The answer is hardware security.

Ironically, the effectiveness of embedding security in device hardware was first proven by the SIM cards embedded in cell phones. Only later was it further refined for data devices in the form of Trusted Platform Modules (TPMs) that are now on board virtually every corporate-class laptop shipped today. Unlike software measures, TPMs can offer a very strong foundation for data security by physically embedding the encryption keys for digital wallets within the hardware of a mobile phone.

It isn’t a significant leap to perform secure PIN matching or biometric authentication directly on the hardware of all end-user devices, from PCs to phones. Dell has employed the practice for years on its Latitude laptops, thus establishing the platform as one of the most secure authentication models for PCs today. The principle is also part of the pending launch of Microsoft Windows 8, which will support security based on the embedded TPM.

Unlike software, hardware provides secure device identity, and it therefore assures the security of a user’s identity and credentials. Imagine a world in which you don’t have to keep track of hundreds of passwords–you log into your device and then your device logs you in to the service. The time to deploy this solution is now, before further headlines of security vulnerabilities in virtual wallet applications turn consumer attitudes against what could be a very cool application.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Since taking the helm as CEO in 2000, Steven Sprague has played an integral role driving the industry transition to embed stronger, hardware-based security into the PC. He holds executive responsibility for all operations within Wave. During his time as CEO he has guided Wave to a position of market leadership in enterprise management of self-encrypting hard drives and Trusted Platform Module security chips. As a popular speaker and IT security thought leader, Steven speaks at dozens of conferences and events each year—educating global audiences about the latest PC hardware security advancements and industry standards (both on behalf of Wave, and in his leadership role with the Trusted Computing Group). His expertise lies in leveraging advancements in hardware security for strong authentication, data protection, advanced password management, enterprise-wide trust management services and more. Steven earned a BS from Cornell University in 1987.