In the wake of two security flaws reported in its Google Wallet mobile payment system last week, Google has clamped down on the system and is scrambling to come up with a fix.
One of the two flaws affects only rooted devices.
But it’s the second that troubles Google more. That flaw lets anyone operating the victim’s phone gain access to the victim’s prepaid card in Google Wallet simply by going into the device’s applications settings folder, clearing the data for the mobile payment service and setting up a new PIN.
“On Friday, we disabled the ability to provision cards,” Google spokesperson Sierra Lovelace told TechNewsWorld. “A permanent fix will be rolled out soon.”
Google’s restriction on provisioning prepaid cards will only impact new cards and refills, the company’s Lovelace pointed out. “If you had already provisioned the prepaid cards, you can use them as usual,” she said.
This flaw is “a fairly trivial problem in some respects,” Nick Holland, a senior analyst at the Yankee Group, told TechNewsWorld. “People don’t tend to store a great deal of money in prepaid cards.”
However, the repercussions of this flaw may be far greater because “consumers have got their own wallets with them anyway — and they’re likely to go back to using their traditional credit cards again,” Holland suggested.
Google’s partners for Google Wallet include Visa, American Express, MasterCard, Discover, Sprint, Citibank, American Eagle and other store chains.
The partners appear to be unfazed by problems with Google Wallet. “I haven’t seen any of our partners respond publicly,” Google’s Lovelace said.
Swimming With the Sharks
It’s the competition that might give Google a real headache over the security flaws in Wallet.
AT&T Mobile, Verizon Wireless and T-Mobile have set up the ISIS, consortium to get into the NFC payment space.
NFC, or near field communications, is the technology used in Google Wallet for mobile payments.
ISIS has garnered support from companies like HTC, LG, Motorola Mobility, Research In Motion and Samsung.
However, that threat is somewhat mitigated because Samsung is a major player in the Android space, and offers the Galaxy Nexus, which incorporates Google Wallet. As for Motorola Mobility, it’s been purchased by Google.
Further, ISIS “might never get off the ground, so [its threat] could be a moot point,” the Yankee Group’s Holland pointed out. “They’ve put back their pilot date, to Q4 now.”
Still, Google needs to remain focused. PayPal’s coming on strong as a real threat, with Ingenico agreeing in January to integrate the PayPal payment card solution into its point-of-sale solutions.
Further, PayPal has lined up two store chains — Office Depot and Home Depot — to use its POS solutions. Customers only need to use their telephone number and a PIN. PayPal plans to offer the service in 20 major retail chains by the end of the year.
Verizon Wireless has ruled out including Google Wallet in the version of the Samsung Galaxy Nexus it will offer later this year, stating its decision has to do with security.
Light at the End of the NFC Tunnel
Eventually, NFC will take off, the Yankee Group’s Holland opined.
“We’re putting the cart in front of the horse here, because we’re trying to get people to use NFC payments out of the box when it’s technology they’re not used to,” Holland said. “They need to get training wheels first.”
Google might have to move to a cloud-based wallet, which will let it scale and be platform-agnostic, Holland suggested.
“I still believe in NFC, but I think you’ll have a little more of cloud-based initiatives, and it could be through your tablet, your Xbox, or your set-top box, for example,” Holland stated.