Google Wallet SmartTap Security and Authenticity – is there any?
So, I'm playing with Google Wallet and SmartTap and I'm wondering what overall security and authenticity the system provides. I can't find any documentation that explains this in detail.
From what I found by just playing with the APIs and Interfaces is, that I as an Issuer just add as many redemptionIssuers (numerical IDs) to my pass configuration as I want and they all then will read my pass.
This means, when I find out the issuerID of a local merchant, I can issue passes that his terminal will read without him having any control over it.
As far as I know, the merchant is unable to check the IssuerID of the pass issuer, so he cannot whitelist them.
Of course, to fake a valid pass, I also need to know a valid smartTapRedemptionValue which might be harder to find.
To me this looks like there is barely any security and authenticity in the system. Am I right here? Does this mean that if I want to make sure that only I can issue passes for my system, I have to add security by e.g. at least signing/encrypting smartTapRedemptionValue and I have to make sure my IssuerID (which looks incremental and is like everywhere) stays secret?
I didn't do any research on how hard it might be to extract the issuerID and/or smartTapRedemptionValue from a phone having a valid pass though...
