Picture this: You’ve just ordered a tasty “$5 Footlong” at Subway and it’s time to pay up. But instead of pulling out your wallet or fishing around for the debit card floating around in your purse, you simply whip out your smartphone, type in a PIN, tap it on a telltale sensor at the register, and boom—you’ve settled up and you’re out the door.
Enticing, yes, but here’s the thing: How secure will Google Wallet really be? What happens if you lose your phone? Or what if a malicious application tries to steal your stored credit cards?
Google says it has dozens of merchants and more than 300,000 PayPass-enabled retailers lined up to make its “Google Wallet” dream a reality—although for now, we’re just talking a limited trial (in New York and San Francisco), a single phone (the Nexus S on Sprint), a handful of retailers (including Macy’s, Subway, Walgreens, Toys ‘R Us, Bloomingdale’s, Duane Reade, and Radio Shack), and either a Citi MasterCard or a Google Prepaid Card. (You can read up on the details—including Google’s bid to take on Groupon with Google Offers—right here.)
Stored credit cards in Google Wallet are protected by a PIN and a special, separate chip isolated from the phone's standard memory.
OK, but what about security? Well, here’s how it’s supposed to work.
First off, you’ll have to establish a Google Wallet PIN that you must enter before each and every transaction, much like you would when paying with a debit card. And for an extra layer of security, users would probably want to lock the screens of their handsets with a separate code.
Next, Google says your Google Wallet-enabled phone will store credit card information on a separate chip, dubbed the “Secure Element,” that’s isolated from the rest of your phone’s memory. The Secure Element runs its own programs, according to Google, and the chip won’t allow any programs except for its own to tap into your stored financial data. As an added security measure, the Secure Element chip is only activated while Google Wallet is unlocked; otherwise, it’s in a state of lockdown.
OK, so your credit card data is kept in its own little fortress on your phone. But what about when your payments are wirelessly transferred from your phone to the PayPass reader, just a few inches away? Could a hacker camp out near a register and pick your credit card number out of the ether?
Theoretically, yes, but Google says we can rely on MasterCard’s “secure encryption technology” to keep your data safe during its short, mid-air journey from phone to PayPass sensor (knock wood).
Finally, what happens when you inevitably leave your phone in the backseat of a cab—or worse, lose it to a sneaky pickpocket? Well, just what you’d do if you lost your regular wallet or credit card: call your bank or credit card company and report your card stolen. Fair enough … although you’d probably need to borrow a phone from a friendly bystander if yours goes missing.
Overall, it’s sounding like using your Android phone as a “tap-and-pay” digital wallet may be no more—or less—secure that toting around a stack of plastic, or swiping your credit card at the counter. (After all, have you ever heard of credit card “skimming” scams? Scary.)
Here’s the thing: The real problem with Google Wallet may end up being its ubiquity—or lack thereof—rather than security. After all, PayPass readers have been around for years, but they’re in so few stores that I’ve personally never bothered to use one. Google’s ultimate challenge will be convincing more credit card companies (Visa, anyone?) and retailers to jump on board, not to mention rolling out more phones with the necessary NFC (short for “Near Field Communication”) hardware.
But what about you: Would you trust Google Wallet with your credit cards?