Comment: Google Wallet flaw shows why Brits prefer credit cards

A few months ago, we ran a few stories, here and on our Finance Blog, about new transaction technology, even speculating whether it could be the beginning of the end for the trusty credit card.

Near-Field-Communication (NFC) technology, which allows consumers to make payments instore by mobile phones, had been generating a lot of excitement about the next wave of transactional technology. [See more]

As it should, too. Quicker, cheaper and more convenient methods of payment are of benefit to all of us.

And yet, while the anticipation of Google Wallet and Kaching continued to whet the appetite of US and Australian consumers, Brits appeared to remain stone-faced and reluctant to embrace the new technology.

Only 17% claimed to be comfortable using their mobile phones as a credit card replacement, while 44% cited security as their primary concern. This caution may have already been vindicated, however.

Throwing Caution to the Airwaves

One of the reasons why America has embraced this technology with such fervour is because launching the app requires a four-digit PIN, which, unlike the UK, is a security feature not available on their standard physical credit cards.

(Reputedly, debates over fraud liability have prevented this kind of technology from becoming established in physical credit cards despite its precedence in reducing fraud.)

Google Wallet’s four-digit PIN for validating transactions was meant to be one of their prime security features, but serious security flaws have already been identified.

Joshua Rubin, a senior engineer from security researchers Zvelo and owner of RubixConsulting.com, has demonstrated how the four-digit Google Wallet PIN required to launch the app could be cracked with consummate ease, bypassing all safeguards and without risking a lockout.

One of the key issues with the technology, Rubin notes, is the strength of password that can be used practically. A 10-character password that contains both letters and numbers with upper- and lower cases would frustrate users seeking to make frequent purchases.

Moreover, the way the information is stored means that a so-called ‘brute-force attack’ can decipher a four-digit PIN code in a matter of seconds.

"With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system", Rubin wrote in a blog post.

"Alternative less secure mechanisms, such as 4 digit PINs, are increasingly relied upon to provide the same level of security as a strong password on a desktop computer. Because the level of security required to access these application is so much lower, it is not realistic to rely on these same mechanisms to protect extremely sensitive information", he later added.

The irony is, of course, that the unwillingness of banks to accept viability for physical chip-and-PIN credit cards is set to land them a potential virtual problem instead.

The saving grace, Rubin notes, is that the attack requires user privileges, and without a user ‘rooting’ the phone, a remote attack is unlikely. A locked screen and encryption will help to protect a user’s PIN in the event of a lost or stolen phone.

A Whole Lotta Credit Cards Run Riot

So, are Brits reluctant to embrace new technology purely because chip-and-PIN cards sit comfortably in wallets and pockets, where they feel much safer?

It is more likely that this reluctance comes because the technology is long-implemented here, and security is still not guaranteed.

A MoneyMail investigation recently revealed that swathes of UK credit card details are being made available through Eastern European websites – enough to allow purchases to be made wherever transactional technology is less robust. [More here].

These details are acquired through ‘skimming’ cards via ATM machines and through phishing scams online.

Banks are viable for the £300 million in credit card fraud that takes place every year, though we can all but guarantee that these costs are recouped elsewhere.

Better Safe than Sorry

The increasing popularity of 24/7 accessible internet banking means that security remains a major issue for UK credit card users before mobile payment systems even enter the fray. But there are simple measures that can be taken to considerably reduce the risk.

• Keep computer systems updated and protected, and scan for malignant software regularly.
• Do not respond to unsolicited mails. Banks will never ask you for your details by email.
• Attach your card to Verified by Visa or an equivalent security service which allows a much stronger password than a standard PIN.

If in doubt, seek advice from your bank or a security professional. There's no point taking risks when it comes to credit cards. As we've seen, it's not always difficult for others to catch you out.

Keith McDonald
Which4U Editor