Feeds

Google Wallet fails to encrypt punters' personal data

Your mobile knows what you spent last summer

Security for virtualized datacentres

Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances.

The mobile payment app fails to protect anything beyond the credit card number itself, according to an analysis by ViaForensics. The firm concludes that the shortcoming places users of the technology at unnecessary risk.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits.

Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineering attack.

Google Wallet is a payment applications, targeted at consumers of Android smartphones. The technology uses wireless Near-Field Communication (NFC) for swipe-to-pay transactions with retailers. The technology is still in the early stages of development and only supports Citi MasterCard and Google Prepaid Card as well as a small number of store and loyalty cards.

Google said ViaForensics' study looked at what data was available on a rooted Android devices running Google Wallet. It adds that credit card and CVV numbers held by Google Wallet are stored in the secure element of an NXP chip used by Android smartphones.

"The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," Google said in a statement, NFC World reports.

"Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."

The alleged security shortcoming uncovered by ViaForensics stem from Google's implementation rather than any inherent shortcomings in the technology. Failure to encrypt transaction history and other sensitive details is a serious oversight with the technology, according to other security observers.

Mark Bower, VP at encryption firm Voltage Security, commented: “While Google Wallet presents an exciting new way for merchants to expand business, just because it’s new doesn’t make it secure.

"Given the wallet is so new, the fact that they aren’t encrypting the data beyond the credit card is a real surprise in this day and age of exploits and data compromises - the risk here is not so much about the credit card number, it’s about the customer personal data - their transaction history – exactly the kind of data an attacker can use to mount a social attack on the consumer to get something even more valuable.

"Android’s freedom is also its weakness in enabling such attacks to potentially be automated to the Google Wallet.”

Google Wallet was launched in May and still remains very much a work in progress. The analysis by ViaForensics, which the firm says is far from comprehensive, follows other misgivings from security experts about the use of a simple PIN to lock Google Wallet, as exemplified by a blog post by Sophos here.

Last week it emerged that Verizon Wireless is blocking (or at least omitting support for) Google Wallet on the upcoming Galaxy Nexus smartphones that will run on Verizon's 4G LTE network. However this decision might just as easily be explained by a commercial dispute over who controls the secure element on users' smartphones than security concerns per se, a post by Lisa Vass on Sophos' Naked Security blog concludes. ®

Beginner's guide to SSL certificates

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.