Before we go into the security details, let’s quickly review the basics of how Google Wallet works.
Google Wallet will function as a free app on your Android phone. As of its introduction, it can store eligible Citi Mastercards or be used with a Google Prepaid Card, which can be funded with any credit or debit card.
If you want to pay using Google Wallet at a store that supports PayPass, you can do so just by tapping your phone on the PayPass terminal. Information is exchanged between your phone and the terminal wirelessly using Near Field Communications technology. NFC only transmits the data over a very short range, and does not use your phone’s standard mobile data plan. It will work even if you don’t have a connection to the web, but does need your phone to have battery life.
With the transaction complete, you’ll be provided with a digital receipt on your phone, and can go on your merry way.
Is PayPass NFC Safe?
Wireless and security are two terms that don’t go together in the minds of many users. This is largely because of media attention to wireless hacks related to unsecured 802.11 connections. It’s understandable that people would be worried about any wireless connection, but NFC is not related to 802.11 and offers better security, with several layers of defence.
The first is provided by the low power of the NFC radio. It’s built to only send data over distances measured in centimeters, which is why Google Wallet is usually activated by tapping your phone on a PayPass terminal.
Then, that isn’t your naked credit card number jumping across that scant distance to the terminal. PayPass encryption technology is used to transmit and read the data. Encryption scrambles the data sent using an algorithm, which is then un-scrambled by the PayPass terminal. Anyone who manages to pick up the data in-between will be looking at a jumbled mess.
Citi MasterCard PayPass users receive an additional layer of comfort in the company’s zero liability policy which does not hold card owners liable for fraudulent purchases (with some limited exceptions).
None of these features on it’s own, and even in combination, mean that the data sent could not be hacked, at least in theory. However, when placed together, it’s clear that they provide a level of security that is more than adequate, and likely more secure than what you already use. Those in opposition to this technology often forget that criminals have had access to skimming devices capable of stealing data off magnetic strip cards for years.
What if My Phone Is Stolen?
Even if you trust wireless technology to keep your card data safe, you may have problems leaving that information on your phone. While a wallet can be lost as well, you usally keep that in your pocket unless you need to pay for something. Phones, however, are sometimes put down on a table or desk, making them easier to leave behind.
Google has thought of this, and keeps card data secure using a chip it’s calling the Secure Element. It’s an independent, encrypted chip inside your phone that is kept entirely seperate from the operating system and only accessible by authorized apps.
The idea of using a separate chip or specific portion of a chip to store certain data for security purposes is not unusual. Intel’s recent purchase of McAfee in 2010 was conducted specifically for this reason. The company wanted to develop built-in, hardware based security features, not unlike the Secure Element that will be used in phones that support Google Wallet.
In addition to the chip, Google Wallet can be locked with a PIN. This provides protection against attempts to access card information through the Google Wallet app, and adds an additional layer of security besides the PIN or lock you might already use to protect against unauthorized access to your phone.
What if your phone doesn’t have this security chip? It will. Google is not going to offer wireless payments on phones that do not have the Secure Element, which is why the technology will be rolling out on the Nexus S 4G, the only phone currently on the market which is designed for use with Google Wallet’s tap-and-pay feature.
Although Google Wallet provides a number of security features, its use will require that some owners give their phones a greater degree of respect. Both Google and MasterCard require that users who lose a phone with their card information stored in Google Wallet report the issue immediately to their credit card company. It should be treated exactly as if a normal credit or debit card had been lost. Most people are pretty attached to their phones though, and do a pretty good job of not leaving them lying around. That attachment also means you are more likely to notice your phone is gone sooner than you would notice a missing wallet, as one is in almost constant use, while the other only comes out when you buy something.
There is no security that can provide 100% protection once a device has left the hands of its owner and arrived in the hands of someone with malicious intent. That’s true of more than just phones or computers. Hand a safe to robbers, and they’ll find a way to open it - if they feel the time and effort is worthwhile. Reporting the lost or stolen phone promptly closes the time window on their attempts.
It’s that last part, however, that is important. Security measures do not prevent intrusion absolutely, but instead make it so difficult that no one feels trying is worth the effort and risk. It’s your credit card number, not a nuclear launch code. The various layers of security used by Google Wallet - including a secure encrypted chip, short-range data transmission and encrypted data transmission - are more than enough to shut down most hackers and criminals, who would much rather seek easier prey.
- Google: Google Wallet FAQ http://www.google.com/wallet/faq.html
- MasterCard: MasterCard Zero Liability Policy http://www.mastercard.com/au/personal/en/zeroliability/index.html