by Christopher Maag

There’s a lot of hullabaloo right now about turning your smartphone into a wallet. Phone companies and major banks hope that someday people will reach for their phone instead of their credit card or cash to buy coffee, gas and household items (especially since processing a bunch of ones and zeroes is much cheaper than handling loose bills).

Internet giant Google is in on the action, having recently demoed something called Google Wallet.  The idea behind the mobile payment plan is to build a system where consumers can buy stuff and receive coupons and loyalty rewards all with their Sprint smartphone.

But as PC World’s Tony Bradley writes, the yet-to-be-released system has a potential security vulnerability. The problem is the software application used by the consumer, the phone, the merchant and the banks to interact. That app also accesses a separate chip on the phone, which holds the user’s encrypted credit card data.

[Resource: Get your free Credit Report Card]

Hackers might not be able to break into the credit card payment networks, Bradley writes. But they may figure out how to reverse engineer that single, all-important app. They might also be able to trick consumers into downloading the wrong app.

Either way, Google’s well-planned security measures could potentially be tripped up.

“I am not trying to suggest that Google Wallet is completely insecure, or scare you away from using it,” Bradley writes. “But, I do think you need to be aware of the potential security holes in the system so you can exercise an appropriate level of caution when using Google Wallet.”

Jimmy Shah, a security researcher at McAfee Labs, shares Bradley’s concern.

“Android apps are relatively easy to reverse-engineer, so that would probably be the first step an attacker would take,” Shah writes.

Google says it will address security concerns by storing payment information on a separate, secure chip, and requiring users to type in a PIN to access it. The company does acknowledge that fraud is possible, however.

“Even though the Google Wallet PIN and Secure Element protect your payment card information, you should still call your issuing banks to cancel your cards” if your phone is lost or stolen, Google says on the web site introducing the service.

[Related: Your Smarter Smartphone]

Christopher Maag is Credit.com’s Staff Writer. Chris graduated with honors from the Columbia University Graduate School of Journalism, and has reported for a number of publications including The New York Times, TIME magazine and Popular Mechanics.

Article originally appeared on Credit.com.

Leave a Reply