Feeds

Google Wallet fails to encrypt punters' personal data

Your mobile knows what you spent last summer

Internet Security Threat Report 2014

Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances.

The mobile payment app fails to protect anything beyond the credit card number itself, according to an analysis by ViaForensics. The firm concludes that the shortcoming places users of the technology at unnecessary risk.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits.

Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineering attack.

Google Wallet is a payment applications, targeted at consumers of Android smartphones. The technology uses wireless Near-Field Communication (NFC) for swipe-to-pay transactions with retailers. The technology is still in the early stages of development and only supports Citi MasterCard and Google Prepaid Card as well as a small number of store and loyalty cards.

Google said ViaForensics' study looked at what data was available on a rooted Android devices running Google Wallet. It adds that credit card and CVV numbers held by Google Wallet are stored in the secure element of an NXP chip used by Android smartphones.

"The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," Google said in a statement, NFC World reports.

"Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."

The alleged security shortcoming uncovered by ViaForensics stem from Google's implementation rather than any inherent shortcomings in the technology. Failure to encrypt transaction history and other sensitive details is a serious oversight with the technology, according to other security observers.

Mark Bower, VP at encryption firm Voltage Security, commented: “While Google Wallet presents an exciting new way for merchants to expand business, just because it’s new doesn’t make it secure.

"Given the wallet is so new, the fact that they aren’t encrypting the data beyond the credit card is a real surprise in this day and age of exploits and data compromises - the risk here is not so much about the credit card number, it’s about the customer personal data - their transaction history – exactly the kind of data an attacker can use to mount a social attack on the consumer to get something even more valuable.

"Android’s freedom is also its weakness in enabling such attacks to potentially be automated to the Google Wallet.”

Google Wallet was launched in May and still remains very much a work in progress. The analysis by ViaForensics, which the firm says is far from comprehensive, follows other misgivings from security experts about the use of a simple PIN to lock Google Wallet, as exemplified by a blog post by Sophos here.

Last week it emerged that Verizon Wireless is blocking (or at least omitting support for) Google Wallet on the upcoming Galaxy Nexus smartphones that will run on Verizon's 4G LTE network. However this decision might just as easily be explained by a commercial dispute over who controls the secure element on users' smartphones than security concerns per se, a post by Lisa Vass on Sophos' Naked Security blog concludes. ®

Intelligent flash storage arrays

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.