Google Wallet Leaves Some Credit Card Data Unencrypted - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Google Wallet Leaves Some Credit Card Data Unencrypted

"Significant" amount of plain text data leaves certain Android phones at risk, researchers say.

Google's much-anticipated mobile payment application locally stores some sensitive user information unencrypted, such as a cardholder's name, transaction dates, email address, and account balance, new research reveals.

Researchers from viaForensics tested the security of Google Wallet--which lets consumers transact credit card charges, redeem gift cards, and use loyalty membership cards in stores from their phones--on rooted Android smartphones and found that the app leaves sensitive data in the clear. While Google Wallet hides the full credit card account number, the last four digits reside in plain text in the app's local SQLite database.

The good news is that viaForensics confirmed that the app does repel man-in-the-middle attacks, and is protected by a PIN to conduct transactions with the cards.

But the apps' SQLite databases resident on the Android phones included credit card balance, limit, expiration date, cardholder name, and transaction locations and dates--information that viaForensics said could be used, for example, as a way to social-engineer the actual credit card account from the cardholder.

[ A debate is whirling around the hype of mobile malware and the solutions we have to fight it. See "Rethinking Mobile Security." ]

"They underestimated the value of data that consumers are not comfortable with [being exposed]," said Andrew Hoog, chief investigative officer for viaForensics. "I'm not comfortable with someone knowing my credit limit or when my payments are due ... If you had that type of information, you could effectively do a social-engineering attack that could get [an attacker] access to an account."

Meanwhile, a Google spokesperson pointed out that the viaForensics report is based on research conducted on a rooted Android smartphone. The report also applauds the layered security built into the OS and app, the spokesperson said. "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet," the spokesperson said. "But even in this case, the secure element still protects the payment instructions, including credit card and CVV numbers."

Read the rest of this article on Dark Reading.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll