Perspectives on loss and theft: ApplePay and Google Wallet

Share this…

Mobile payment services and their security mechanisms

ApplePay and Google Wallet are mobile payment services that aim to make the shopping experience of their users more comfortable, while protecting their payment information with the highest security measures.

Specialists in enterprise data protection services mention that both ApplePay and Google Wallet pay a lot of attention to security. In fact, we can even make a general statement that almost all mobile wallet services are at least a little safer than traditional magnetic stripe cards, but to be honest, that’s not a correct comparison. Today it’s about breaking into the payment industry through innovation and technology. In the process, an effort must be made to reach unprecedented levels of security and data protection, not just take small steps forward.

ApplePay and Google Wallet are focused on accomplishing that. Both deal with security at all levels within the payment lifecycle without compromising consumer comfort. This article will try to identify some differences about their security strategy and measures in lost/theft cases.

In the past, when we lost our physical wallet, the immediate security measure was to identify all the credit and debit cards and anything of value that could be stored there, call the customer service of the respective banks and inform each one about the loss or theft. Between the time cards were stolen and the time when they were reported to the issuing banks, we had to hope that they would not have been used. Even after the card theft has been reported, there is still the possibility of misuse based on offline transactions that is common in some places.

Now, think about this scenario: you lost your Android phone equipped with Google Wallet or an iPhone equipped with ApplePay with multiple payment accounts stored in the device’s memory. Unlike the physical wallet, Google wallet is protected by a PIN only known by the user. In ApplePay, the information is protected by Touch ID, which can only be used by the device owner.

A thief with no technology knowledge could not even overcome this first security level. No card stored in the electronic wallet can be used.

Now, once you realize you’ve lost your phone, you don’t have to panic trying to remember all the cards you had inside and trying to find your customer service numbers and so forth. You can easily go to the Google Wallet website and mark your wallet as lost or stolen with just a couple of clicks. Similarly, you can go to Apple’s iCloud website and put your phone in “Lost Mode”. In both cases, when your phone is online, the lost mode of mobile payment services will be activated.

Let’s think for a moment that the thief has sort of tech knowledge and in some way bypasses the first security level (PIN or Touch ID). Activating the phone’s lost mode enables a second level of security. In the case of Google Wallet, the phone will refuse to make any payment transaction, even if the PIN has been hacked. In the case of ApplePay, the tokens stored within the built-in safe element will be erased, making it impossible to make a payment transaction, even if they have hacked the Touch ID. Experts in enterprise data protection services consider that this second level of security makes these services even more secure.

Once these two recommendations have been completed, your information will be more or less secure in case of theft or loss. You don’t even have to call the issuing banks. In fact, you can keep using your payment cards as usual without waiting to receive any replacement. This is fine but, in case you want to be completely sure, you can call the issuing banks to report the loss. Specialists in enterprise data protection services commented that, for users of these services it is not necessary to make the report, but it is always there if you need to.

There is an important exception about “Lost Mode” in case of a robbery. Lost mode can communicate to your mobile wallet only if your phone is online. If your phone does not get online, neither Apple nor Google will be able to activate the lost mode on their respective wallets. What happens if the thief makes sure the phone doesn’t get online after stealing it? This compromises the second security level. If they could also hack into the first security level (PIN or Touch ID), they might seem ready to steal our cards’ resources. Let’s analyze this scenario in the context of ApplePay and Google Wallet.

In the case of ApplePay, the assumption is that Touch ID is strong enough and cannot be broken. That is why ApplePay does not allow PIN-based authentication of payment transactions, as they consider it less secure. In the rarest scenarios where the thieves can successfully crack the Touch ID and also successfully ensure that the phone cannot be put in lost mode, there is a loop that can be exploited. In this case, experts in enterprise data protection services recommend to report and block the physical cards.

Regarding Google Wallet, access by PIN is not as safe as the Touch ID. In addition, it is also possible to set up Google Wallet so that it does not request PIN for a certain time. This leaves a security hole if your device is lost during that period.

But, Google has one more trick. Unlike ApplePay, where a transaction never enters Apple servers, the server in the Google Wallet cloud is displayed when a payment transaction is made. Google has to authorize a current transaction. Therefore, even if the thief does not allow the phone to enable lost mode and decrypts the PIN, at the end of the day, the transaction must pass through the servers in the Google Wallet cloud. If the wallet has already been placed in lost mode on the server, any transaction will be rejected by Google, so the efforts of the thief won’t pay off.

In conclusion, in case of theft or loss of your device, both ApplePay and Google Wallet offer several levels of security. Some may consider ApplePay’s Touch ID to be more secure, while others will think that the Google Wallet server-side authentication is a better strategy. Specialists in enterprise data protection services from the International Institute of Cyber Security consider that both are solid and revolutionary security measures. We just have to wait and see which exceeds the test of time in the real world.