Providers of electronic financial services have constantly debated the value and risks associated with being first to market. This is because the bar is set much higher for financial institutions and related companies to get it “right” the first time. Unlike some pretty famous software companies who have historically released software into the public for their users/customers to de facto perform their end-user testing, financial service companies have no such luxury. The stakes are just too high to put customers in the position of finding any remaining bugs and defects. FI’s are the custodians of the public’s money and have a fiduciary to protect it and their privacy. Trust, in the end, is what it is all about and releasing a flawed financial tool or service into the marketplace can have disastrous consequences.
Financial institutions are well aware that they are perceived as being slow to adapt to new technology lacking in the innovation department and allowing themselves to be disintermediated by more nimble, less regulated entities. Yet they constantly have to balance innovation and speed to market with the real risks associated with launching a new product that has not been robustly tested and every risk identified and mitigated. And rolling out a flawless or near flawless product or service takes time.
So today’s American Banker article (found below) describing the security flaws uncovered with the recent release of Google Wallet is a good example of the risks financial institutions have faced for years. First to market in the financial services arena is not necessarily a coveted position because nothing good usually comes from not absolutely production ready – meaning it has no defects or bugs.
Of course, as you will read, there are other ongoing unresolved issues between the mobile carriers, financial institutions, device makers and software companies who are all jockeying to remain vital to their customers. Holding the prized position as the provider of the vital, “Fort Knox like” security is coveted and mandatory if mobile payments are to become mainstream. Let’s put aside for the moment, however, another yet unresolved question as to why merchants need or want to support mobile payments at the point-of-sale in the first place! Where, how and who ends up being the party to truly secure mobile payments and mobile wallets is a big piece to this puzzle that is still undecided. So get comfortable and get your popcorn and soda, because things are only going to get more intense and interesting!
I’ve included the original article from American Banker below (for a quick read), but you can also click on the link below to go directly to American Banker’s website: as well as the link direction
As Google Inc. learned in the past week, the security problems with digital wallets are thorny and complex.
They involve everything from the difficulties of securing payment data on mobile phones used to the question of whether security credentials should be stored in the cloud or on the phone itself.
Any misstep, however temporary, could erode the delicate trust banks and technology companies are trying to build around mobile payments.
The security double-whammy that struck Google came from the research firm zvelo Inc. of Greenwood Village, Colo. Google said Tuesday that it fixed the most glaring flaw zvelo uncovered, but zvelo said it was unable to test Google’s fix by deadline.
The Google Wallet app is protected by a PIN chosen by the user. Once unlocked, the Wallet allows payments from a directly linked payment card or a Google-branded prepaid account. Since only Citigroup Inc. has linked its accounts to Google Wallet, most users would store funds in the prepaid account.
Zvelo demonstrated last week that Google Wallet users can have their PIN codes and other wallet information extracted with a PIN-cracking app that can be run under certain conditions.
A separate — and far more straightforward — flaw allows an attacker to access the funds in the user’s prepaid account by wiping the user’s Google Wallet settings. This attack deletes the user’s PIN in the process.
“Ideally, if a user had a prepaid account they would be challenged in some way to prove their identity,” but Google provided no such challenge to a user accessing the funds after the app was reset, says Joshua Rubin, senior engineer for zvelo and the lead engineer on the study that exposed the security flaws.
This flaw may reappear in any other mobile payment system, since banks and other technology companies face the same pressures Google did in designing a mobile wallet.
Part of the reason behind Google’s streamlined security approach is that consumers would likely find stronger identification procedures an impediment to their use of the mobile wallet. A magnetic-stripe card, by contrast, does not need to be unlocked before each use.
Google Wallet stores payment information, but not the PIN, within the secure element that smartphones contain if they are equipped to make transactions with a near-field communication chip.
But the secure element is currently the subject of a turf war between mobile phone carriers and the banks. Each would like to use the secure element to control the wallet experience and be compensated for it, experts say. Neither wants to assume liability for a data breach.
“Banks are basically at risk for letting themselves get disintermediated by these services,” says Peter Wannemacher, an analyst for Forrester Research Inc.
Citi’s data was not affected by the security flaw Rubin uncovered, the bank says.
“No Citi client information is stored on the Google Wallet, and the Wallet PIN is separate and distinct from any PIN the client may have enabled on their card account,” a Citi spokeswoman says.
Removing data from the mobile-wallet environment might be the right approach, says Rick Oglesby, a senior analyst at Aite Group LLC.
It’s excessive to store the wallet PIN within the secure element, since the PIN is meant to unlock the data within the secure element, Oglesby says.
What’s needed are layers of security, such as exist for online banking today, experts say. Challenge questions could pop up when the phone detects settings or users have changed, experts say.
Developers could also place a software cache on phones that encrypts personal data, says Rubin.
But for now, it comes down to basics.
“Google’s response, which people should heed, is: if you lose your phone, call the toll-free line to make sure the [prepaid] card is cancelled,” Rubin says.