Google Wallet Stores Unencrypted Payment Data

by Mercator Advisory Group 0

This story points out that Google Wallet does not lock down payment data under all circumstances, i.e. on a rooted aka jail broken Android phone. Revealed by viaForensics, it looks like Google has more work to do:

The security specialist says its initial testing of the app on a rooted handset shows that credit card balances, limits, expiration dates, names on cards, transaction dates and locations are all stored in various SQLite databases in unencrypted form.

Google points out the forensics outfit that uncovered the problems says Google Wallet does a good job when an NFC secure element is involved.

In a statement, Google says: “The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers.”

This last is disingenuous however, given that Google Wallet will be used for card not present transactions that rely on a cloud-based wallet. Recall that a couple of week ago, Google renamed its Google Checkout to Wallet. And there’s the big problem of Google getting access to NFC card emulation mode on Verizon and likely other mobile operator networks.

Wallet’s a work in progress. Keep working.
Click here for more.