View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 16, 2011

UPDATED: Google Wallet gets a #fail from security research company

Too much sensitive data is stored unencrypted, leaving users open to socially engineered attacks, viaForensics claims

By Cbr Rolling Blog

Google Wallet, the company’s much-hyped mobile payments app, stores user information unencrypted, according to security firm viaForensics.

Google Wallet uses Near Field Communications (NFC) to enable users to pay for items via their phone. It was reported this week that the app will go live in the UK in time for the London 2012 Olympic Games.

However, analysis carried out by viaForensics has revealed that beyond a user’s full credit card number, pretty much everything is stored unencrypted.

The company’s analysis described the amount of unencrypted data as "significant". This means that the cardholder’s name, credit card balance, limits, expiration date, transaction dates and locations are unencrypted, potential exposing the user to fraud.

The report notes: "Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage."

"When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack," it added.

The report admits that its analysis is far from comprehensive and that more research is needed. However, it does suggest that the security risks from Google Wallet may put some consumers off.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

"This testing was really only very high level. Far more sophisticated and comprehensive security analysis is needed to determine if other vulnerabilities are present. For a tech standpoint, it’s very exciting to see Google Wallet in production," the report states.

"However, it has consistently been viaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology," viaForensics continued. "In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable."

UPDATE: Google has responded to the report’s findings: "The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," the company told CBR in a statement.

"Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices, " the statement added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.