Are credit cards in smartphone-based wallets safe? Google has insisted they are, but the company is now suspending prepaid credit cards in its mobile wallet because of some security issues.
The move on Saturday by the technology giant follows a report that someone other than a smartphone owner could use the balance on a prepaid card by adjusting the wallet's settings. In a posting Saturday on the official Google Commerce blog, Vice President of Google Wallet and Payments Osama Bedier wrote that the company has "temporarily disabled provisioning of prepaid cards," as a precaution while Google works out a fix.
The fix, he noted, is needed because of the possibility of "unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock." Bedier noted that Google Wallet is protected by a PIN, as well as the phone's lock screen. However, many users do not utilize the screen lock, since doing so would require entering a password whenever someone returns to the phone after a break.
Google's action followed a security flaw that began circulating Friday. Since the credit card belongs to the phone and not to a Google account, someone in possession of a smartphone can go to the application settings, erase the data associated with Google Wallet, and change the Wallet's PIN. The funds on a prepaid card can thus become available -- such as to someone who finds a lost phone.
Last week, security firm Zuelo noted another security flaw. Using a rooted smartphone with Google Wallet, someone other than the owner can get access to the Wallet's PIN via a brute force attack on the database storing the PIN, and thus make illegal credit card charges.
Google has noted that the Wallet is not designed for smartphones that have been rooted, which is usually by the owner. Bedier wrote that sometimes "users choose to disable important security mechanisms in order to gain system-level 'root' access to their phone," a practice which Google strongly discourages.
Neither of the recently exposed security flaws can be conducted remotely, but require physical access to the device. Google and others have argued that, in theory, smartphone-based credit cards can be more secure than the plastic kind.
Michael Gartenberg, research director at Gartner, said smartphone-based credit cards and virtual wallets are a "paradigm shift, involving a lot of chickens and eggs coming into play."
The plastic-based credit card industry took "a long time to ease people's fears," Gartenberg said, and a "sea change" like credit cards on phones will similarly happen "a lot slower than people think."
Google is "wise to take a step back and make sure things are resolved," he said, adding that the company still needs to educate users as to why virtual credit cards have advantages over the plastic cards they have in their actual wallet.