Mobile Wallets: Security and Privacy Questions Raised By New Google App

It is billed as the future of commerce: swiping a smartphone at the checkout counter instead of a credit card.

On Monday, Google made its foray into the budding market of mobile payment systems by launching Google Wallet, an app that stores users' credit card information on their phones, allowing them to purchase goods by swiping their phones at stores.

But this new form of shopping also raises new questions about privacy and security. According to Google, the app is even safer than a real wallet. But some experts say the technology presents privacy concerns while offering an attractive -- albeit challenging -- target for cyberthieves.

"You can be relatively certain that bad guys will look at ways to exploit this," said Kevin Mahaffey, co-founder of the mobile security firm Lookout, Inc.

For now, Google Wallet is only available to consumers using Google’s Nexus S 4G phone on Sprint Nextel’s network and a Citi MasterCard credit card. On its blog, Google said it hoped to eventually open the app to Visa, Discover and American Express credit card holders.

The mobile payment market is expected to get crowded. Another network called Isis -- backed by AT&T, Verizon and T-Mobile -- is expected to launch early next year. PayPal is also planning to unveil a new mobile payment system.

The market for mobile payments is projected to nearly triple in value from $240 billion this year to $670 billion globally by 2015, according to a report in July by Juniper Research.

Mobile payment systems like Google Wallet rely on a wireless technology called "Near Field Communication" that allows users to make payments by tapping their smart phone against special wireless readers like MasterCard’s PayPass.

Google says it has taken several measures to ensure this technology is not exploited by cyberthieves. For one, users must enter a PIN to make a purchase. The PIN expires after a short window of time and if the PIN is entered incorrectly five times, the app disables itself, according to Rob von Behren, a software engineer who co-founded the Google Wallet project.

Google Wallet also stores credit card data on a computer chip that is isolated from the phone's Android operating system, software that has increasingly become a target for hackers, according to a recent report by the security firm McAfee.

"Google wallet goes far beyond the security that you have with your traditional wallet," said Google spokesman Nate Tyler.

Mobile payment systems are a dramatic improvement from the "byzantine" system of plastic credit cards -- millions of which have fallen into the hands of cybercriminals who hack into unprotected computer systems, Mahaffey said.

"At the end of the day I think mobile payments are the future," Mahaffey said.

With its official launch on Monday, security researchers are just starting to look for vulnerabilities with Google Wallet. Several said the product appeared to feature a high level of security because credit card information is stored on the phone's hardware, not its software. But others see potential privacy concerns with mobile payment technology.

Andrew Hoog, chief investigative officer and co-founder of cybersecurity firm viaForensics, said users are allowing mobile payment developers to collect a vast amount of information about their shopping habits that would be valuable to advertisers. For example, Hoog said users could receive targeted advertisements for pet food when they walk past pet stores based on their smart phone's GPS and purchasing history.

"More of your information and purchasing habits wil become known and able to be mined and marketed," Hoog said. "You just have to be comfortable with it."

A Google spokesman said the company envisions adding targeted advertising to Google Wallet, but it is not currently a feature.

Kevin Fu, a computer science professor at the University of Massachusetts at Amherst, said mobile payment technology -- with its extra security layers -- could have the potential to reduce credit card theft, but consumers should be wary of companies promising total security.

Five years ago, Fu and his fellow researchers found that millions of so-called "no swipe credit cards," which were marketed as being encrypted, were actually not encrypted. The technology allowed the researchers to steal the cardholder's name and other card data through a wallet or clothing by using a device created from inexpensive radio and computer parts.

Google Wallet encrypts users' credit card data so it can't be read by wireless card readers, von Behren said. But with mobile payment systems still in their infancy, there is little evidence to demonstrate the technology can ensure security and privacy other than developers saying "trust us," Fu said.

"And we've seen that fail in the past," Fu said. "If history has taught us anything, we should be cautious about taking their word."

Popular in the Community