Since December 25 of last year, when I received a Galaxy Nexus smartphone, I have been an early adopter of Google Wallet. I am very proud of this fact, to the point where I will go out of my way to shop at retailers who support this technology and make shameless plugs for Google Wallet to onlookers, in order to give the service more market exposure. Consistently, however, the only response I seem to receive from said onlookers or cashiers when I tap my phone to pay is: “It looks easy to steal your identity through that thing…” Yes… of course, that’s exactly my point in paying this way. Never mind the fact that Google Wallet is a revolutionary smartphone-based payment system. Never mind that it cuts transaction times down from two minutes to 30 seconds. Never mind that it has the potential to keep all your credit cards, reward cards, gift cards and receipts on a device which you always have with you. Never mind the fact that Europe and Japan have been operating on similar systems since 2003. Never mind that it’s actually more secure than a standard plastic credit card.
Never mind all of that. It’s just a liability waiting to happen. For those of you that have absolutely no clue as to what I’m talking about, allow me to explain. Google Wallet is exactly what it sounds like: an app currently available on select Android smartphones, which lets you turn your phone into a credit card. Using new wireless communication technology known as Near Field Communication, or NFC, when you tap your Wallet-enabled phone up against a contactless terminal (a normal credit card reader with a wireless doohickey inside), your phone transmits credit card info to the cash register, just as if you’d swiped the card. Unlike with standard credit cards, however, signatures and ID-checks are not required, as the app provides enough authentication to make transactions simple tap-and-go procedures. For added security, the phone will not enter card mode unless you enter a 4-digit PIN. On the face of it, this system sounds like some sort of sci-fi future dream come true, to be followed up shortly by hoverboards and self-lacing Nike shoes.
In practice, however, mobile wallets are far from ready for the mass market. Google Wallet is currently the only mobile wallet app available in the U.S. market, with support for only two credit cards: a Citibank card and a special Google prepaid debit card, which has to be loaded up with money, like a gift card. Speaking of gift cards, Google Wallet only supports four of those too, as there are only an estimated 200,000 PayPass terminals in major retailers across the entire country. The final blow is that Wallet is only supported on Google’s Nexus S 4G, running on the Sprint network. Although 10 Android smartphones currently feature NFC support, Google Wallet has been blocked from all other phones on Verizon, T-Mobile and AT&T, due to the big three pledging their support to a rival mobile wallet service, Isis. Problem? Indubitably, since Isis has yet to produce a useable wallet app and is only now beginning to consider limited testing of their nascent service in Q2 of this year. Thus, anyone wanting to use Google Wallet on an unsupported network must compile it from source code. Now, finally, we come to back to my first point: the security issues.
Google Wallet has gotten lots of bad press lately due to a new exploit that can reset the PIN and grant access to a user’s cards on a rooted (jailbroken) phone. Granted, this hack is scary, but let’s back up a minute and look at the security of standard credit cards. With modern technology, cloning a magnetic stripe credit card is unbelievably easy. The tools required cost about $20, and if a thief either looks over your shoulder at the store, or has physical access to your card for about two seconds (say, while you wait for your card to be processed at a restaurant or bar), they can swipe it into a computer, create a duplicate card through the same computer, and have a perfect working clone.
Moreover, given the fact that the signature on a receipt needs only be a “present attempt to authenticate,” as per the current state of the law, both you and potential thieves need only sign an X at the counter and the merchant will be obligated to accept it as your signature without question. This system is prone to so much exploitation that it has been replaced completely in the EU with a system of “chips and pins,” where credit cards feature a small computer chip that stores all of the card’s data in an encrypted format. When read at the cash register, a customer is required to enter a 4-digit PIN, which replaces the signature used in American markets, to decrypt their card. Mobile wallet payments one-up even the chip-and-pin system, though, as not only is the credit card info encrypted with a PIN, but it is only transmitted once, for less than 30 seconds, at the point of sale, from a device which never leaves your hand. Thus, the only way to harvest information from a mobile wallet is to stand next to a potential victim with a parabolic antenna, wired to a backpack full of electronics, pointed directly at their phone at the time of payment. That sure wouldn’t look suspicious.
Overall, both the American public and the media need to stop fearing mobile wallet apps, and rather embrace the fact that our phones, sooner or later, will become our credit cards, just as they have become our iPods and our GPS devices. Now if I could only get my hands on one of those hoverboards…