Showing posts with label Mobile payment. Show all posts
Showing posts with label Mobile payment. Show all posts

Tuesday, February 14, 2012

Google Wallet Security

A recurrent discussion during security conferences in the last year was about that mobile threats will becoming more and more significant accordingly to the increasing usage of mobile devices for financial activities. 

I can absolutely agree with that. In fact it is money, or it would be better to say, revenue opportunities, to drive "investments" inside the malware producer community that is becoming very much similar to a real industry. At this regards there are a couple of articles I suggest you to read if you're interested with the evolution of malware merchants.

Also security researchers are going to focus much more on this area to search for vulnerabilities. 

I've just found out a video where a security researcher demonstrates a vulnerability in the Google Wallet. 

Google Wallet is a mobile payment system (developed by Google of course) that allows its users to store credit cards, gift cards, etc, as well as redeeming sales promotion on their mobile phone. Google Wallet uses NFC (Near Field Communication) to allow payments by tapping the phone on any enabled terminal. 

The vulnerability that is described in this video is impressive since it is very easy to be exploited, in fact it doesn't require any extra software or tools. The vulnerability allows to easily steal prepaid funds out of devices that are lost or stolen (in Google wallet the funds are tied with the device itself and not the Google account).

Google was very responsive and decided to temporarily stop provisioning prepaid credit cards to prevent any exploitation of this vulnerability

Just to complete the view about vulnerabilities on Google Wallet, I must refer that a few days ago, another vulnerability was also identified in the Google Wallet that could allows to reveal a user's Google Wallet PIN. In that case it not so easy to make an exploit since it requires for the attacker to get first the root credential of the mobile phone. Of course if the phone was jailbreaked that step is already over.

It is not difficult to predict that mobile phone-based credit card payments will become a burgeoning industry... for many industry players including malware merchants.