Feeds

Google Wallet fails to encrypt punters' personal data

Your mobile knows what you spent last summer

Top 5 reasons to deploy VMware with Tegile

Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances.

The mobile payment app fails to protect anything beyond the credit card number itself, according to an analysis by ViaForensics. The firm concludes that the shortcoming places users of the technology at unnecessary risk.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits.

Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineering attack.

Google Wallet is a payment applications, targeted at consumers of Android smartphones. The technology uses wireless Near-Field Communication (NFC) for swipe-to-pay transactions with retailers. The technology is still in the early stages of development and only supports Citi MasterCard and Google Prepaid Card as well as a small number of store and loyalty cards.

Google said ViaForensics' study looked at what data was available on a rooted Android devices running Google Wallet. It adds that credit card and CVV numbers held by Google Wallet are stored in the secure element of an NXP chip used by Android smartphones.

"The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," Google said in a statement, NFC World reports.

"Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."

The alleged security shortcoming uncovered by ViaForensics stem from Google's implementation rather than any inherent shortcomings in the technology. Failure to encrypt transaction history and other sensitive details is a serious oversight with the technology, according to other security observers.

Mark Bower, VP at encryption firm Voltage Security, commented: “While Google Wallet presents an exciting new way for merchants to expand business, just because it’s new doesn’t make it secure.

"Given the wallet is so new, the fact that they aren’t encrypting the data beyond the credit card is a real surprise in this day and age of exploits and data compromises - the risk here is not so much about the credit card number, it’s about the customer personal data - their transaction history – exactly the kind of data an attacker can use to mount a social attack on the consumer to get something even more valuable.

"Android’s freedom is also its weakness in enabling such attacks to potentially be automated to the Google Wallet.”

Google Wallet was launched in May and still remains very much a work in progress. The analysis by ViaForensics, which the firm says is far from comprehensive, follows other misgivings from security experts about the use of a simple PIN to lock Google Wallet, as exemplified by a blog post by Sophos here.

Last week it emerged that Verizon Wireless is blocking (or at least omitting support for) Google Wallet on the upcoming Galaxy Nexus smartphones that will run on Verizon's 4G LTE network. However this decision might just as easily be explained by a commercial dispute over who controls the secure element on users' smartphones than security concerns per se, a post by Lisa Vass on Sophos' Naked Security blog concludes. ®

Remote control for virtualized desktops

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?