Google Wallet Leaves Some Credit Card Data Unencrypted
"Significant" amount of plain text data leaves certain Android phones at risk, researchers say.Google's much-anticipated mobile payment application locally stores some sensitive user information unencrypted, such as a cardholder's name, transaction dates, email address, and account balance, new research reveals.
Researchers from viaForensics tested the security of Google Wallet--which lets consumers transact credit card charges, redeem gift cards, and use loyalty membership cards in stores from their phones--on rooted Android smartphones and found that the app leaves sensitive data in the clear. While Google Wallet hides the full credit card account number, the last four digits reside in plain text in the app's local SQLite database.
The good news is that viaForensics confirmed that the app does repel man-in-the-middle attacks, and is protected by a PIN to conduct transactions with the cards.
But the apps' SQLite databases resident on the Android phones included credit card balance, limit, expiration date, cardholder name, and transaction locations and dates--information that viaForensics said could be used, for example, as a way to social-engineer the actual credit card account from the cardholder.
[ A debate is whirling around the hype of mobile malware and the solutions we have to fight it. See "Rethinking Mobile Security." ]
"They underestimated the value of data that consumers are not comfortable with [being exposed]," said Andrew Hoog, chief investigative officer for viaForensics. "I'm not comfortable with someone knowing my credit limit or when my payments are due ... If you had that type of information, you could effectively do a social-engineering attack that could get [an attacker] access to an account."
Meanwhile, a Google spokesperson pointed out that the viaForensics report is based on research conducted on a rooted Android smartphone. The report also applauds the layered security built into the OS and app, the spokesperson said. "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet," the spokesperson said. "But even in this case, the secure element still protects the payment instructions, including credit card and CVV numbers."
IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)
Related Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSResource Links
Related Webcasts
This Week's Issue
Free Print Subscription
SubscribeCurrent Healthcare Issue
- InformationWeek Healthcare CIO 25: Our second annual honor roll of the health IT leaders driving healthcare's transformation.
- EHR Unreadiness: Only a small percentage of physicians planning to apply for Meaningful Use funds have e-health record systems capable of achieving most of the requirements. .
- And much more!
- Read the Current Issue
Related Whitepapers
Featured Resource
Download this paper to learn how Dell computers running Microsoft Windows 7 can help you make your operations more secure and meet compliance requirements.
Learn More
