Friday, December 16, 2011

Google wallet saves data in plain text

This could be a serious blow for Google Wallet. The much talked about NFC app from Google seems to be storing Card data in plain text, according to viaForensics who tested the security aspects of Google Wallet. Though only the last four numbers of the card is visible and that man-in-the-middle attacks are blocked by the app, the SQLite database, when hacked can reveal credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates. This is very private and confidential information, even though the problem appears to be only on rooted devices.

 "They underestimated the value of data that consumers are not comfortable with [being exposed]," says Andrew Hoog, chief investigative officer for viaForensics. "I'm not comfortable with someone knowing my credit limit or when my payments are due ... If you had that type of information, you could effectively do a social-engineering attack that could get [an attacker] access to an account." 

As a response, Google spokesperson says that the viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet, but even in this case, the secure element still protects the payment instructions, including credit card and CVV numbers. You can find full analysis here.

Enhanced by Zemanta

No comments:

Post a Comment