Google Wallet Fails to Encrypt Some Payment Data Posing Security Risk
Researchers examined Google Wallet and found a lot of customer information stored in plain text on mobile devices, making users vulnerable to social engineering attacks if malicious attackers gained access to the data.
A high-level review of data transmitted and stored by Google Wallet shows that users can be at risk for financial or identity theft because some sensitive information is stored unencrypted, according to researchers from ViaForensics on Dec. 12. The service takes advantage of Near Field Communications (NFC) technology and brings mobile payments to Android devices.
Information such as card holder's name, transaction dates and locations, email addresses, expiration date, credit limit and account balance was not encrypted, researchers found. While the full credit card account number was hidden, the last four digits are stored in plain text in the app's local SQLite database on the device. Researchers believed the risk that malicious perpetrators would be able to use the data in a social engineering attack was pretty high.
"While Google Wallet does a decent job securing your full credit cards numbers, the amount of data that Google Wallet stores unencrypted on the device is significant," researchers wrote.
The risk wasn't exposure of the credit card number, but that customer's personal data, such as transaction history, was exposed, Mark Bower, vice-president of Voltage Security, told eWEEK. The unencrypted data was "exactly the kind of data an attacker can use to mount a social attack on the consumer to get something even more valuable," Bower said. Considering recent data breaches and attacks, it was a "surprise" that data other than credit card numbers were not being encrypted, he said.
Google Wallet, a new Google app and service which allows users to simply wave their Android devices to charge items to their credit card, redeem gift cards and use their loyalty cards at select retailers. Still in the early stages of deployment, the technology is not yet widely available on Android phones. Google Wallet currently supports one major credit card, MasterCard, Google PrePaid card, gift cards from retailers such as Bloomingdales and Macy's and loyalty cards from stores such as Foot Locker and Office Max.
Researchers used a rooted Android smartphone with Google Wallet version 1.0-R33v6. After researchers disclosed the findings to Google on Nov. 30, the company provided an updated build of Wallet, version 1.1-R41v8, on Dec. 9 for further testing, according to the blog.
The updated build fixed the earlier issue in which transaction data was recoverable even when it was deleted or the app was reset. Google also fixed the issue in which the app created a recoverable image of the card which contained name, expiration date and the last four digits of the card number. The information on the image could have been used to trick users into providing the actual credit card number in a social-engineering attack.
The researchers attempted a man-in-the-middle attack over Wi-Fi, forensically analyzed data stored on the device and examined system logs in the "high-level" testing. The man-in-the-middle attack was attempted during account registration and adding a new card to the app, but Google Wallet successfully thwarted the attack, ViaForensics reported.
Researchers praised the fact that the app successfully repelled a man-in-the-middle attack and that a PIN is required to unlock the app and authorize payments on the credit card. "If a criminal can get your physical credit card, it will be far easier for them to use than if they get your Android device," researchers wrote.