Google Wallet Leaves Some Credit Card Data Unencrypted

Significant amount of plain text data leaves certain Android phones at risk, researchers say.
Google's much-anticipated mobile payment application locally stores some sensitive user information unencrypted, such as a cardholder's name, transaction dates, email address, and account balance, new research reveals.

Researchers from viaForensics tested the security of Google Wallet--which lets consumers transact credit card charges, redeem gift cards, and use loyalty membership cards in stores from their phones--on rooted Android smartphones and found that the app leaves sensitive data in the clear. While Google Wallet hides the full credit card account number, the last four digits reside in plain text in the app's local SQLite database.

The good news is that viaForensics confirmed that the app does repel man-in-the-middle attacks, and is protected by a PIN to conduct transactions with the cards.

But the apps' SQLite databases resident on the Android phones included credit card balance, limit, expiration date, cardholder name, and transaction locations and dates--information that viaForensics said could be used, for example, as a way to social-engineer the actual credit card account from the cardholder.

[ A debate is whirling around the hype of mobile malware and the solutions we have to fight it. See "Rethinking Mobile Security." ]

"They underestimated the value of data that consumers are not comfortable with [being exposed]," said Andrew Hoog, chief investigative officer for viaForensics. "I'm not comfortable with someone knowing my credit limit or when my payments are due ... If you had that type of information, you could effectively do a social-engineering attack that could get [an attacker] access to an account."

Meanwhile, a Google spokesperson pointed out that the viaForensics report is based on research conducted on a rooted Android smartphone. The report also applauds the layered security built into the OS and app, the spokesperson said. "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet," the spokesperson said. "But even in this case, the secure element still protects the payment instructions, including credit card and CVV numbers."

Read the rest of this article on Dark Reading.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)