Are Google’s Wallet Dreams in Danger?


Let’s get something straight: Google’s head will always be in the clouds.
Every major product it’s working on — mobile, social, video, whatever — emphasizes long-term payoffs over short-term gains. For Google, the goal is to create products that revolutionize industries, shaking up established tech-biz hierarchies. Google Wallet, the company’s smartphone-based mobile payments initiative, is perhaps the apex of Google’s lofty thinking. And now Wallet is under fire for security risks, raising serious questions about the product’s long-term viability.
Security research firm Zvelo — which analyzes and sells threat-detection services — discovered a vulnerability in Wallet’s password system on Wednesday. In short, Zvelo found that smartphone thieves could potentially access users’ secret Wallet PIN numbers. Wallet’s saving grace in this situation, however, is that the threat only applies to Android devices that have been “rooted,” a process that provides privileged, superuser access to whoever owns (or steals) the device. Rooting isn’t recommended for amateurs, and is usually only useful to software geeks.
So, to some degree, what Zvelo uncovered wasn’t a huge deal. Rooting your phone always comes with risks. What’s more, Google has consistently warned users about the security risk. “We strongly encourage people to not install Google Wallet on rooted devices,” said Google spokesman Nate Tyler in a statement provided to Wired. “And to always set up a screen lock as an additional layer of security for their phone.”

But not a day following the Zvelo blow-up, another more serious problem came to light. Mobile blog The Smartphone Champ discovered that those who owned non-rooted devices running Google Wallet were also found to be potentially at risk.
Currently, you can only link a Citibank MasterCard to your Google Wallet account for payment. If you don’t have one of those cards, Google provides a pre-paid card that acts as a credit card, to which you can transfer money from any of your existing accounts (Citibank or any other creditor). The problem is, once you link your prepaid account to that phone, the linking data stays inside the phone — even after wiping a phone of all your personal information.
So, ultimately, if you lose or give away your phone, anyone can reinstall Wallet and access your prepaid account with his or her own PIN. The interloper can’t siphon out your credit card account, but he or she can still grab all the credits you’ve put into Wallet.
This is an egregious security risk. And it comes at a bad time. Google is already fighting an uphill battle to convince customers that linking credit cards to smartphones is a safe, preferred alternative to carrying around cash and plastic in beat-up leather.
Google’s response to this latest embarrassment, again, was swift. The company is currently working on an automated fix for the exploit, and it should be ready soon, says spokesman Nate Tyler. Moreover, Google urges anyone who loses a Wallet-carrying smartphone to disable his or her account ASAP.
But there’s still a problem: We aren’t yet capable of seeing our lost phones as lost wallets. Imagine your gut reaction after losing your physical wallet. You get on the phone and immediately cancel all your plastic, replacing your stolen cards with an entire set of new ones. A lost phone, however, usually just spurs a trip to a phone store or kiosk.
And that’s all to be expected for a mobile payments scheme that’s still in its infancy. Google launched Wallet less than half a year ago, and widespread adoption is seriously hindered by the fact that there’s literally only one phone on which Wallet will work: Samsung’s Nexus S 4G, carried by Sprint. That’s one smartphone out of hundreds of options. Even worse, at 9 months old, the Nexus S is positively ancient in mobile hardware years.
Wireless carriers aren’t making things easy for Google, either. Not wanting to miss out on a potentially lucrative new revenue stream, Verizon asked Google to block Wallet from the Samsung Galaxy Nexus smartphone a mere fortnight before the phone’s release. As it stood, Google and the credit card companies were the ones making all the money, while carriers like Verizon were denied any piece of the mobile payments pie. (As a side note, the carriers tried to do their own thing with the ISIS mobile payments initiative, but the credit card companies didn’t want to let that happen.)
And it gets worse for Google still: Even if the company manages to get Wallet’ed phones in the field and convinces carrier partners to play ball, it still must resolve retailer skepticism.
“Few retailers are prepared to support NFC payments, as it requires deployment of additional infrastructure at the checkout,” Gartner analyst Van Baker told Wired in an e-mail. “Even when all these ducks line up, there is little to convince the consumer to use the technology as they are pretty comfortable with their cards.”
Add all this up, toss in the recent security scares, and Google’s Wallet dreams look bleaker by the day. Nonetheless, Wallet looks like yet another project that Google is willing to tackle over the long haul, managing stumbles and flare-ups as they occur. It’s a strategy we openly accept in search development, and merely tolerate when it comes to personal data mining. But with Wallet, we’re entrusting Google with our money.
It’s a territory in which Google may not have unlimited time — and consumer patience — to explore.