How bad is google wallet for privacy (i only want to use it as credit card)
Firstly, cash is king. You’re not going to beat cash, when it comes to privacy.
As for Google Wallet, I personally would not use it. Many people, myself included, want to get away from Google. Do you? If so, I’d encourage you to avoid it. It also does not offer End-To-End Encryption (E2EE), instead using Encrypted in Transit. This means Google will know everything about your cards, IDs, and whatever else you put into your digital Wallet. Even if you didn’t care about Google seeing that data, you’re not really gaining a lot of privacy from your card issuer. Google will still likely pass the Merchant info along, not just to your card issuer, but other 3rd parties.
The only upside to using Google Wallet, is Google Pays masking. Suposidly it masks your card details to the Merchant. Not quite sure how that’s done. I think it’s done similarly to Apple’s token method (which is privacy respecting), but not sure.
As far as I can tell, this is the main benefit for privacy, though I would like to read up on exactly how this works.
If it works within your threat model, one option could be to have a card ready with Google Pay to work as a backup in case you don’t have your card on you for whatever reason. Normally its more likely that a card will be accepted rather than your phone NFS, but it’s an option. If you happen to already pay for other Google servics or have a card in the Google Play Store for paid apps, then you’re not adding additional exposure to that information.
If you’re going to use it more frequently, then you just have to decide whether Google is acceptable within your threat model, or to what degree. Maybe you can make a Google account specifically for Google Pay to compartmentalize it from other things you may use Google for. All depends on how far you need to or want to go.
What are some alternatives to Google or Apple Pay that might work better? I think I heard PayPal also can be used to mask credit card information for making IRL purchases, but I know PayPal has their own reputation and still may not work for some.
So since my last post, I’ve been reading into it a bit more. From what I have found, these payment services (both Apple and Google, anyway) use the same EMV cryptography Standards as normal cards, but emulated. Also for anyone interested, this video does a pretty good job of breaking down how both Apple/Google Pay works.
Considering how big Google is, I don’t think compartmentalising would work. Once they have your card details, which if you use this service, they will have, you’re going to give up that privacy. With card details comes your name, bank info, address, and so on. If you then also use it with other cards (like IDs, medical stuff, etc), you’d be helping them even further.
Samsung also has it’s varient, which is a mix of the two (Google/Apple). Unlike Google, which has your tokens tied to your Google account, the Samsung token is tied to the device (like Apple). This token is saved with Knox… I think Samsung calls it a “secure enviroment”. A couple of years back (2015/2016), I recall some people critising the security of Knox, so don’t know if that’s changed (or how accurate it was… memory is a bit foggy). In theory, it SHOULD be better than Google’s varient. You also have the ability to remotely wipe that data, with other Samsung features. Even if Knox is good, Samsung Pay rollout has really slowed down. I’ve never seen a place that accepts it… or mentions that they accept it, at least. One of the upsides of Samsung is their “rewards” program. They’ll sell your data, but at least you’ll get something from it.
I haven’t heard of Paypal’s varient, though I think you can use it in tandem with Google Pay (not sure if that’s true with Wallet… Google has so many projects, with similar names, and nothing to do with each other…).
Between all the options that I know of, Apple is the only one that I feel like I can recommend. The cards have been E2EE for a long time now, and with ADP, even the other stuff is E2EE. You can also disable online backups, if that’s more your jam. From what I’ve read, Apple has no access to your card details (unlike Google), and they seem to have minimal involvement. Still not great, but the best of the bad bunch.
1 Like