Hello, Is there anything that stops the card number and PIN from being stolen and transmitted to a malicious remote user when the a smartphone using google wallet has a virus on it and is connected to the internet? http://en.wikipedia.org/wiki/Google_Wallet#Security Thank you, Sarad.
I haven't seen details on how this works, but from the short description on that Wikipedia page, which matches Google's description, the PIN enables the NFC antenna, which allows the "Secure Element" chip to communicate over the NFC radio link. The NFC station can then query the Secure Element for the user credentials, which I assume are sent encrypted with the credit card issuer's public key. So you'd have to send transmission over the NFC radio link's limited range that looks to the Secure Element to be coming from a credit card issuer. Hopefully, the encryption between the credit card issuer and the Secure Element is end-to-end, so there's no way for anybody else to snoop on it. So if you can steal the PIN, hack the OS to simulate that PIN being typed, while the user is close to an NFC station that can impersonate a valid credit card issuer, you're golden. Sounds hard to me. Lots of guesses there, however. I hope Google will publish the protocols. Maybe they already have. I didn't look. -Bill St. Clair On Thu, Sep 22, 2011 at 8:52 AM, Sarad AV <jtrjtrjtr2001@yahoo.com> wrote:
Hello,
Is there anything that stops the card number and PIN from being stolen and transmitted to a malicious remote user when the a smartphone using google wallet has a virus on it and is connected to the internet?
http://en.wikipedia.org/wiki/Google_Wallet#Security
Thank you, Sarad.
Yes, true. Also have to check the scenario as to how the card details are first entered into the phone and a malicious code already running at that time. Sarad. --- On Thu, 9/22/11, Bill St. Clair <billstclair@gmail.com> wrote:
From: Bill St. Clair <billstclair@gmail.com> Subject: Re: Google Wallet Security To: "Sarad AV" <jtrjtrjtr2001@yahoo.com> Cc: cypherpunks@al-qaeda.net Date: Thursday, September 22, 2011, 7:04 PM I haven't seen details on how this works, but from the short description on that Wikipedia page, which matches Google's description, the PIN enables the NFC antenna, which allows the "Secure Element" chip to communicate over the NFC radio link. The NFC station can then query the Secure Element for the user credentials, which I assume are sent encrypted with the credit card issuer's public key. So you'd have to send transmission over the NFC radio link's limited range that looks to the Secure Element to be coming from a credit card issuer. Hopefully, the encryption between the credit card issuer and the Secure Element is end-to-end, so there's no way for anybody else to snoop on it. So if you can steal the PIN, hack the OS to simulate that PIN being typed, while the user is close to an NFC station that can impersonate a valid credit card issuer, you're golden. Sounds hard to me.
Lots of guesses there, however. I hope Google will publish the protocols. Maybe they already have. I didn't look.
-Bill St. Clair
On Thu, Sep 22, 2011 at 8:52 AM, Sarad AV <jtrjtrjtr2001@yahoo.com> wrote:
Hello,
Is there anything that stops the card number and PIN from being stolen and transmitted to a malicious remote user when the a smartphone using google wallet has a virus on it and is connected to the internet?
http://en.wikipedia.org/wiki/Google_Wallet#Security
Thank you, Sarad.
participants (2)
-
Bill St. Clair -
Sarad AV