ViaForensics says significant unencrypted credit card data is stored by Google Wallet

  • Facebook
  • Twitter
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email

A research firm called ViaForensics has released reports saying that Google Wallet stores passwords and doesn’t encrypt the credit card number or balance or any other information. This was concluded after running the application on rooted devices.

Data such as last four digits of your credit card, name, expiration date, card limit, transaction location and dates is stored in unencrypted form on the device in various SQL databases, reported ViaForensics. After a high level analysis of Google Wallet, it was reported that the application created recoverable images of the credit card that could fodder a social engineering attack.

Reports claim that Google Wallet even manages to store full credit card numbers. A significant amount of unencrypted data is stored on the device by Google Wallet, which includes everything except first 12 digits of the credit card. The reports also claim that in case of a social engineering attack against a consumer or provider, the data could be accessed by third parties. For a successful social engineering attack, a well armed attacker would need your name, recent card usage data, last 4 digits and expiration date; all of which might be stored by the software.

The name on the card, last four digits, expiry date and email account are recoverable even after deleting the transactions or by resetting Google Wallet. If you have used Google Wallet on your phone and decide to sell it, you are advised to reset the device as one cannot rely on Google Wallet to remove all the data. However, during tests Google Wallet was successful in protecting against an attack over Wi-Fi, which was attempted at the time of registration of an account and during the addition of a new credit card.

It should be noted that the testing was done on a rooted phone, meaning researchers had root access and control of the device. Even with a rooted device, the credit card details weren’t easily accessible because of its storage in a secure element in a NXP chip. The report concludes by stating that even in a rooted device, the secure element protects the payment instrument (credit card details and CVV number) in most cases, though it would be accessible if the attack were to be sophisticated enough.

The firm disclosed its findings to Google on the 30th of November. Google Wallet was unveiled in May, and is available on the Google Nexus S.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

*

Email
Print
WP Socializer Aakash Web