Stay calm and carry on, people: It's way too soon to say that NFC should stand for Now Fatally Corrupted. Yes, Google's breakthrough NFC payments app Wallet is being mentioned all over the news thanks to a flaw--it's vulnerable to a hack that gives nefarious types access to your secure PIN number. But don't believe any doomsayers or fearmongering that you may encounter on this matter; it's not as evil as it seems and, believe it or not, it's actually a sign that the future of wireless mobile payments is probably more secure than your current credit card.
As reported over at the blog of security firm Zvelo, Google's Wallet app has a wicked flaw right at its core. Wallet works as a three-way system, you see, with the official app running on your smartphone, a hardware chip inside the phone called the secure element, and the participation of the banks at the other end of the data pipeline (ready to check it's all legit and say "okay" when you swipe your phone at a merchant and say, in effect, "please pay this store $X amount").
The security loophole that Zvelo uncovered comes right at the point that the app talks to the secure element, because as an additional security feature--extra to those in place when you actually pay for something--the secure element requires you to enter a PIN number when you activate it after an interval. Thanks to what looks like a bit of sloppy coding by Google, this PIN is stored in an encrypted form on the phone, and if your phone is rooted then a malicious app could use the phone's own prodigious mobile computing power to crunch the encryption and work out your PIN, in a matter of moments:
[youtube P655GXnE_ic]
This means that if someone got ahold of your phone illegitimately, they could fairly swiftly have direct access to your PIN number and thus activate all the goodies hidden inside Wallet, including your stored credit card numbers and transaction history. That's an opportunity to be pretty evil, right there--though it's worth noting it doesn't affect the wireless payment system security itself.
But here's the thing: Your phone would have to be rooted, meaning you'd adjusted its Android code to allow you deep access to the operating system (not something every, or even most, Android users would ever do). And the thief would have to have direct physical access to your phone for a decent space of time to root it if you hadn't, and to run the special app. Google has already begun work on a fix, subject to a tricky battle with the banks over where responsibility for the encryption should lie (our question: why can't Google just show the numbers in the app as **** **** etc., as many online stores would do? It would deter this access). Even Zvelo itself notes that if you're a security-aware Android user you can put many barriers in the way of a thief performing the hack by encrypting the device and by making sure it has effective homescreen password locks.
If you think about it, this is actually an endorsement for the future security of wireless payments. If someone stole your current-generation plastic credit card, then there are none of these "extra" barriers in the way of the thief using it. Google around for news about "credit card theft" and you'll see endless examples all over the world of theft by cloned cards, faked signatures, stolen PINs for chip-and-PIN cards (something the U.S. will have to worry about soon) and so on. A single case in a single U.S. city--New York--in late 2011 involved $13 million in theft using stolen cards over a 16-month interval, and the crime is so common that credit card numbers are sold on the black market through a bizarre criminal "bazaar" for as little as $3.50 a pop. In 2009, it was found that card fraud was the number one fear of Americans, above terrorism, partly because of memories of the global economic crisis.
Your current plastic card, you see, is pretty vulnerable to fraudulent use. Yes, there are plenty of security protocols in place, and the tech to keep them safe is getting better--with chip-and-PIN being perhaps the best at the moment. But as criminal tech exploitation advances, the implications of physically losing your card or having it cloned at a merchant are getting bigger (we won't talk about online fraud--that's a separate issue, related to how we process payments over the web). Even the brand-new NFC credit cards are a little at risk because although they are more secure, if they're stolen then they're more or less as vulnerable as a normal card.
But if your payment data is wrapped up in an app on your smartphone, then thieves have to make a whole paradigm leap in tech savviness to get at the information and then make fraudulent payments. And if you do lose your phone--something that's perhaps harder to do than lose a tiny sliver of plastic card--you're more likely to notice, and with many of the over-the-air security systems now available you may even be able to wipe its contents and remove all data before the thief can access it. It's easy to imagine Apple, for example, beefing up the "find my iPhone" app to include a "nuke my card data" button if it ever enables NFC payments. Plus if there is a vulnerability exposed in these smartphone-based system in the future, it may be fixable by an over-the-air update, which is a feature that simply couldn't happen with current card tech.
You may have to become a little more tech-aware yourself to make the most of all this security, but that shouldn't be a problem--after all, we're the Facebook generation, right?
[Image: Flickr user boliston]
Chat about this news with Kit Eaton on Twitter and Fast Company too.
