Feeds

Google Wallet fails to encrypt punters' personal data

Your mobile knows what you spent last summer

Top 5 reasons to deploy VMware with Tegile

Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances.

The mobile payment app fails to protect anything beyond the credit card number itself, according to an analysis by ViaForensics. The firm concludes that the shortcoming places users of the technology at unnecessary risk.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits.

Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineering attack.

Google Wallet is a payment applications, targeted at consumers of Android smartphones. The technology uses wireless Near-Field Communication (NFC) for swipe-to-pay transactions with retailers. The technology is still in the early stages of development and only supports Citi MasterCard and Google Prepaid Card as well as a small number of store and loyalty cards.

Google said ViaForensics' study looked at what data was available on a rooted Android devices running Google Wallet. It adds that credit card and CVV numbers held by Google Wallet are stored in the secure element of an NXP chip used by Android smartphones.

"The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," Google said in a statement, NFC World reports.

"Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."

The alleged security shortcoming uncovered by ViaForensics stem from Google's implementation rather than any inherent shortcomings in the technology. Failure to encrypt transaction history and other sensitive details is a serious oversight with the technology, according to other security observers.

Mark Bower, VP at encryption firm Voltage Security, commented: “While Google Wallet presents an exciting new way for merchants to expand business, just because it’s new doesn’t make it secure.

"Given the wallet is so new, the fact that they aren’t encrypting the data beyond the credit card is a real surprise in this day and age of exploits and data compromises - the risk here is not so much about the credit card number, it’s about the customer personal data - their transaction history – exactly the kind of data an attacker can use to mount a social attack on the consumer to get something even more valuable.

"Android’s freedom is also its weakness in enabling such attacks to potentially be automated to the Google Wallet.”

Google Wallet was launched in May and still remains very much a work in progress. The analysis by ViaForensics, which the firm says is far from comprehensive, follows other misgivings from security experts about the use of a simple PIN to lock Google Wallet, as exemplified by a blog post by Sophos here.

Last week it emerged that Verizon Wireless is blocking (or at least omitting support for) Google Wallet on the upcoming Galaxy Nexus smartphones that will run on Verizon's 4G LTE network. However this decision might just as easily be explained by a commercial dispute over who controls the secure element on users' smartphones than security concerns per se, a post by Lisa Vass on Sophos' Naked Security blog concludes. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.