Banking

What's in your Google Wallet?

Joshua Burke gives his take on Google Wallet and a projected outlook for NFC standards.

Google Wallet is a "virtual" wallet that stores payment information and allows you to pay for items quickly and conveniently from your phone -- both online and in stores; at least, that's the plan. The reality isn't quite so rosy.

The hard truth is that Google Wallet = Google plus Sprint in its current state. Add to that the infrastructure requirements to accept payments from Google Wallet and other Near Field Communication (NFC) devices, and the picture gets a little more down to reality.

As a mobile device manager, I get a little squeamish when it comes to NFC technology. We've already been through the whole "skimming" issue, with physical cards being swiped and their information stored during the course of normal transactions. NFC makes me nervous on that front.

To calm our fears, Google has adopted some advanced security around the NFC portion of Google Wallet as it's currently implemented on the Galaxy Nexus. Google stores information on something they call the "Secure Element," which is only accessible by select programs and requires authentication to use. Here are the official statements from Google regarding the security of the hardware and data:

What is the Secure Element, and how secure is it?

The Secure Element has many features designed to protect the security of the data it stores. It's separate from the phone's main operating system and hardware, which enables encrypted protocols to enforce access control. Only authorized programs like Google Wallet can access the Secure Element to initiate a transaction. There are multiple levels of protection for data stored on the Secure Element and it is protected at the hardware level from snooping or tampering.

Could a malicious application access my credit card on the Secure Element?

Both the Android platform and the Secure Element are designed to prevent this from happening. Android enforces strict access policies so that malicious applications won't have access to data stored by Google Wallet. Even Google Wallet itself has very limited access to the Secure Element and cannot read or write data from its memory. There are multiple levels of protection for data stored on the Secure Element, and it is protected at the hardware level from snooping or tampering.

If someone gets close to my phone, could they read sensitive data from my Google Wallet?

The NFC antenna in your phone is only activated when the screen is powered on, and even if the antenna is on and in proximity of a reader, payment credentials can only be transmitted from the Secure Element to a payment terminal after you have entered your Google Wallet PIN.

To features like these, I have to say, "Nice job." Google seems to be taking care of many of the major concerns around NFC, at least on paper. Many credit card companies have fallen prey to the security through obscurity methodology only to get bitten on the other end. Google Wallet remains untested in this regard.

The primary issue with Google Wallet and NFC solutions in general is lack of a standards and interoperability. Google is essentially creating its own standard and, in my opinion, is rushing to market with what amounts to a proof-of-concept. Meanwhile, in the background, Isis is revving up and is alleged to launch with support from three major phone manufacturers, multiple payment networks, multiple card issuers, and it will be compliant with NFC global standards to boot. This is a classic example of carrying water instead of building a pipleline.

That certainly doesn't mean that Google Wallet is doomed for failure -- far from it. In fact, I think there needs to be a few more players on the field before the standards wars will really rev up. We saw a similar path with ATM infrastructure. In the beginning, competing regional vendors were laying siege to the other players in the space through stonewalling interoperability and trying to starve them out. Eventually, everybody saw the light and discovered that the current approach was leaving money on the table for everyone. NFC is likely to follow a similar path to implementation.

With the pending launch of Isis and the "early" launch of Google Wallet, I would guess that 2012 will be the year that the NFC standards actually become standard. Similarly, 2013 will be the year of a bunch of macho posturing around who's best in the NFC space, and 2014 will be the year of reconciliation and interoperability. I wouldn't expect to be able to use Google Wallet widely prior to that.

In the meantime, there will be technological advances we haven't seen yet that will make the infrastructure piece more feasible on the whole. I remember the first time I saw a phone and credit card transaction. I was shopping at a local Farmer's Market, and one stand had a sign that they took credit cards. I was expecting the farmer to pull out the manual imprinter and save my transaction to process later. Instead, he pulled out a Nokia, swiped my card, and handed me my vegetables. That was quite awhile ago, and things have progressed from that point considerably.

Conclusions

The future of NFC is uncertain right now. It's a technology that's begging to be overrun by something smaller, faster, and lighter because of the infrastructure that needs to be put in place to scale support for point of sale (POS). On the other hand, NFC makes some logical sense with the way we humans currently transact business -- so, in the realm familiarity, it has an advantage.

I think Google Wallet has a good shot at making the grade in the NFC space, but right now, it's not ready for prime time unless you have Sprint, a Nexus Galaxy, a Citibank MasterCard, and happen to live in an area with a PayPassTM infrastructure in the majority of the places you shop. Those aren't a very good combination of odds as they stand right now.

The last part of this equation is Apple. The Cupertino giant hasn't weighed in on what it will use for NFC transactions. There have been rumblings of an NFC product that runs through iTunes and is Apple-specific. That would be interesting in the short run but is likely to prolong the standards compliance issues for the rest of the players on the field. Apple will want to own its process end-to-end -- it's the Apple way -- so, that may confuse the issue from a standards perspective.

In the end, the game to watch is how quickly all of the players in the NFC payment space can get over themselves and start working together so that everybody can make some money. Simultaneous to that issue is watching the technology underneath wireless payments in general. We might just see a game changer in the midst of this that trumps all of the current solutions and surprises all of us with it's simplicity and function.

Read also

4 comments
CharlieSpencer
CharlieSpencer

My TR 'blocked comments threshold' is set to '-10'. What is it about the two comments above that could have generated 10 negative votes each in less than 24 hours? Not one person who cast those negative votes posted a single comment. PTBs, can you tell who cast those negative votes?

Gromanon
Gromanon

NOT A CHANCE!! I'd never trust any advertising company with my personally critical information!

gke565
gke565

I would never use this service even if it was 100% secure. I don't need Google scanning my wallet for ad feeds, I get enough junk email from the banks and vendors. And if someone steals your phone, they have your credit cards (limited access = multiple attack points).