Last week, web security firm zvelo disclosed that it applied a fairly simple brute-force attack to hack the PIN protection of Google Wallet, an application that stores payment card numbers and other sensitive data on your mobile phone.
To its credit, Google acknowledged zvelo’s discovery, and moved quickly to develop a fix. But the episode offers a cautionary tale to vendors who, in their rush to market, ignore the vital role that consumer trust plays in adoption of virtual wallet technology.
To be clear, I am cheering for the rapid deployment of any application that lets you use your device to make purchases. I want the technology to succeed. But that’s precisely why I feel virtual wallet applications should be backed by a secure foundation of hardware security.
The fallout from one highly publicized breach could poison consumer adoption and attitudes toward the technology for years. And, if I’ve learned anything in the last two decades, it’s that hiding credentials behind a wall of software is a breach waiting to happen.
In the case of Google Wallet, it appears the PIN number securing Google’s mobile phone payment system was managed and protected in software. This practice is a well-known weakness among security experts, as illustrated by the timeline of news coverage on this topic at SlashGear.
It turns out there are several downloadable applications that allow you to hack Google Wallet quickly and easily. And this discovery has led Google to turn off services formerly offered through its virtual wallet app, such as the use of pre-paid cards.
Such developments are unfortunate news to advocates of virtual wallet apps – and not just because of the damage to consumer confidence. The real disappointment is that such breaches are avoidable. Limiting virtual wallet applications isn’t the solution any more than continuing to put faith in software security is. The answer is hardware security.
Ironically, the effectiveness of embedding security in device hardware was first proven by the SIM cards embedded in cell phones. Only later was it further refined for data devices in the form of Trusted Platform Modules (TPMs) that are now on board virtually every corporate-class laptop shipped today. Unlike software measures, TPMs can offer a very strong foundation for data security by physically embedding the encryption keys for digital wallets within the hardware of a mobile phone.
It isn’t a significant leap to perform secure PIN matching or biometric authentication directly on the hardware of all end-user devices, from PCs to phones. Dell has employed the practice for years on its Latitude laptops, thus establishing the platform as one of the most secure authentication models for PCs today. The principle is also part of the pending launch of Microsoft Windows 8, which will support security based on the embedded TPM.
Unlike software, hardware provides secure device identity, and it therefore assures the security of a user’s identity and credentials. Imagine a world in which you don’t have to keep track of hundreds of passwords–you log into your device and then your device logs you in to the service. The time to deploy this solution is now, before further headlines of security vulnerabilities in virtual wallet applications turn consumer attitudes against what could be a very cool application.