Verizon blocks Google Wallet over security concerns


Google Wallet promotionCiting security concerns, Verizon Wireless is blocking the use of Google Wallet on the upcoming Galaxy Nexus smartphone running on Verizon’s 4G LTE network, according to news reports.

Verizon has denied such reports, which claim that it’s blocking the mobile payment application on the first Android 4.0 Ice Cream Sandwich smartphone, slated to launch in the United States this Friday for $299.99.

But Google has issued this simple statement to the contrary:

Verizon asked us not to include this functionality in the product.

Bloomberg Businessweek quoted a Verizon Wireless spokesman, Jeffrey Nelson, as saying in an email statement on Tuesday that the company is working to have “the best security and user experience.”

Verizon, the largest wireless carrier in the United States, will allow the Google service “when those goals are achieved,” according to Nelson’s statement.

Nelson also told eWEEK’s Clint Boulton that Verizon isn’t blocking Wallet, per se; rather, “Verizon is engaged in ongoing commercial discussions on the matter.” Boulton continues:

Why the ongoing negotiations? Nelson said Google Wallet is different from other mobile commerce services.

"Google Wallet does not simply access the operating system and basic hardware of our phones like thousands of other applications," he added. "Instead, in order to work as architected by Google, Google Wallet needs to be integrated into a new, secure and proprietary hardware element in our phones."

As mobile aficionados well know, Google is pinning its hopes on the Galaxy being a flagship device that will carve away at sales of the iPhone 4S.

ISIS promotionVerizon and its wireless buddies don’t necessarily share in that ambition. Verizon Wireless and its partners AT&T and T-Mobile USA have their own game plan, having invested more than $100 million in a joint venture: a competing wireless payment system called Isis, due to debut in 2012.

At first glance, the security question seems like it could well be little more than a stalling mechanism.

Google Wallet will be protected by a four-digit passcode. That’s certainly not the pinnacle of safe-password heights, as Sophos’s Graham Cluley has pointed out.

Cluley is, of course, right about a longer password being potentially a more secure, less easily guessed password.

But a four-digit password is also plenty more secure than a plain old plastic card. For my part, I refuse to put my signature on the back of a card, instead choosing to write in large block letters PLEASE SEE PHOTO ID.

Even that barely works; a small minority of clerks follow through with my requested compliance with two-factor authentication.

Computerworld’s Matt Hamblen on Wednesday described in detail the security issue that Verizon’s supposedly worried about:

What seems to be at issue is whether Verizon's security team can integrate Google Wallet into a "secure hardware element," or the system for storing private data, in phones with near field communications (NFC) technology. Google Wallet would need to work with whatever secure element Verizon and its partners in the Isis mobile payment venture are using. ...

A smartphone's secure element is usually a chip or a group of chips that bolsters security by recognizing a person's credit credentials apart from the phone's operating system, thus attaching an additional layer of proof for a transaction to go through. The secure element contains a user's personal information that allows a payment to be made, and that information is usually obtained with a cryptographic key.

SIM chipThis brouhaha between Google and Verizon is actually just the latest skirmish in a battle over who should control that secure element, Hamblen writes. The wireless carriers want security on a SIM chip, while smartphone and mobile operating system makers such as Google want it either on an NFC chip or embedded within a separate chip.

These questions seem to boil down to insider baseball. For the consumer, what really matters is that Google Wallet, or Isis, or any given mobile wireless payment system, is secure, not which party gets the right to control that security.

Can we pick secure four-digit passwords? Many of us can, and many of us cannot. That will never change.

Does it matter, given that payment processing players such as MasterCard will protect us from whatever password dopiness we commit on smartphones, refunding the funds we lose if and when our passwords are compromised?

My guess would be no, not really. This Verizon-Google chest-bumping seems to be more about profit and control than real security concerns.