Google Wallet Security
Bill St. Clair
billstclair at gmail.com
Thu Sep 22 06:34:31 PDT 2011
I haven't seen details on how this works, but from the short
description on that Wikipedia page, which matches Google's
description, the PIN enables the NFC antenna, which allows the "Secure
Element" chip to communicate over the NFC radio link. The NFC station
can then query the Secure Element for the user credentials, which I
assume are sent encrypted with the credit card issuer's public key. So
you'd have to send transmission over the NFC radio link's limited
range that looks to the Secure Element to be coming from a credit card
issuer. Hopefully, the encryption between the credit card issuer and
the Secure Element is end-to-end, so there's no way for anybody else
to snoop on it. So if you can steal the PIN, hack the OS to simulate
that PIN being typed, while the user is close to an NFC station that
can impersonate a valid credit card issuer, you're golden. Sounds hard
to me.
Lots of guesses there, however. I hope Google will publish the
protocols. Maybe they already have. I didn't look.
-Bill St. Clair
On Thu, Sep 22, 2011 at 8:52 AM, Sarad AV <jtrjtrjtr2001 at yahoo.com> wrote:
> Hello,
>
> Is there anything that stops the card number and PIN from being stolen and transmitted to a malicious remote user when the a smartphone using google wallet has a virus on it and is connected to the internet?
>
> http://en.wikipedia.org/wiki/Google_Wallet#Security
>
> Thank you,
> Sarad.
More information about the cypherpunks-legacy
mailing list