Google Wallet Stores Card Data In Plain Text 213
nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."
Not tooo worried about this one (Score:4, Informative)
Re:Not tooo worried about this one (Score:5, Informative)
However, it is worth noting that even if they ignore all of the best practices, they are probably technically in the clear right now. Mobile Applications are currently exempted from PCI and PA enforcement pending an update to the rules. As they are currently written, they acknowledge that they were not designed with mobile devices in mind. Mobile payment application developers are encouraged to follow the general guidelines of PCI, but they are somewhat left to their best judgement.
The storage is PCI-compliant, based on the article (Score:4, Insightful)
Actually even if PCI does apply to the mobile app, based on the article the storage does meet the PCI storage guidelines, which are not as stringent as you might imagine. PCI actually does not require encryption of the credit card number as long as it is truncated to the last 4 digits. And cardholder name and expiration date may be plain text. This is explained on p. 8 of the PCI-DSS v2.0 spec, and in Requirement 3.4.
That said, the plain-text storage is incredibly stupid, and any payment apps on a phone should go above and beyond PCI requirements. And apart from the storage, the rest of the data path needs to be examined to look for other unencrypted links.
Re:Not tooo worried about this one (Score:5, Informative)
The passwords were *cough* hashed. I suppose that's a kind of plain text.
Re: (Score:3)
How long has it been and people are still spreading the "ZOMG PASSWORDS IN PLAIN TEXT!!" rubbish?
Re:Not tooo worried about this one (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3)
My bank stores my password in plain text. It's clearly not even hashed as they only need (eg) the third and fifth characters to give me access.
no they do encrypt it but they encrypt each letter seperately!
Re: (Score:3)
> Whatever hashing/salting/encrypting technique that can be used safely store passwords can be repeated to safely store individual characters instead.
Yeah, it's totally alright, because it only lowers complexity of brute-forcing from N^M to N*M (where N is number of characters in password's allowed alphabet and M is length of password).
And if they hash pairs of characters instead, then it's (N^2)*M/2 for non-intersecting pairs and N^2+N*(M-1) for intersecting.
Re: (Score:3, Informative)
Sure, mr. Apple Fan, storing the same last 4 digits that are printed on every receipt is a security nightmare. Google is EEEEVIL. EEEEEVIL, I tell you!
"Way to spin it" is what article summary and headline do.
Re:Not tooo worried about this one (Score:5, Insightful)
But the apps' SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates -- information that viaForensics says could be used, for example, as a way to social-engineer the actual credit-card account from the cardholder.
That is just bad security from so large company that is trying to get everyone to use their mobile payment platform. You really shouldn't give them a pass on this just because they're Google. They need to be held to same security standards as everyone else.
Re: (Score:3)
Hey, you're late to your Google bashing. Don't let that happen again.
A) It's called PCI compliance. They are PCI compliant. Whether the standard is a good one is a different question.
B) A more detailed description of the problem is here: http://slashdot.org/comments.pl?sid=2576938&cid=38397406 [slashdot.org] Please compare and contrast with how Microsoft is approaching the problem.
hey, it's their business model (Score:3)
i mean, if it was encrypted, how the hell would they index it for search?!?!
NFC (Score:5, Funny)
Re: (Score:2)
Nearfeild communication 1-4 cm transmission devices. Like pay pass.
Re: (Score:2)
Your obsession with Apple is unhealthy.
You know the old saying: An Apple rant a day ...
Re: (Score:2)
When the equipment is good paypass is much faster. No waiting for change. Just tap the card on the machine and you're done.
Compare that to when I went to the dollar store the other day and I had to wait patiently while the clerk punched the numbers in on the calculator to figure out how much change to give back when I gave her a $2 coin to pay for a $1.13 purchase.
Stupid headline (Score:5, Insightful)
"Stores Card Data In Plain Text"
isn't quite the same thing as
"suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"
Re: (Score:2, Informative)
RTFL: "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext."
Re:Stupid headline (Score:5, Informative)
Neither statement is completely clear, but as I see it Google Wallet is storing (some) data about the card in plain text, which may be enough for anyone that discovers it to obtain further details about that person and their card from the financial institution via social engineering.
To me this means if you lose your phone, it may have enough information on it to enable the finder to then get your credit card details through social engineering.
Re: (Score:3)
That's why it is important to report it lost as soon as possible.
Lost credit card statements are worse as if intercepted in the post because you won't even realise it until it has been missing for a few days.
Re:Stupid headline (Score:4, Insightful)
I'm curious as to what social engineering technique could be used to find a card number? I have never seen a website that will reveal credit card info as anything other than **** **** **** 1234, nor have I ever heard of a bank that will give out your number over the phone. The only thing they ever do is post you out a new card and disable the current one.
Seriously, phone up your bank and say "Hey it's Mr Smith here, I left home without my card today and I absolutely must buy this cute thingymabob on the internet, I know the last 4 digits are 1234 but that's it - could you help a brother out?" and see what happens. Then there's the CVN which shouldn't be stored in ANY payment system - except maybe the card authenticator themselves (i.e. Visa/Mastercard).
Re:Stupid headline (Score:5, Insightful)
I'm curious as to what social engineering technique could be used to find a card number?
The target is not the bank or credit card company - it is the owner of the phone ... and remember, it doesn't have to work often (or on /.ers):
- Someone with malicious intent gets your Google Wallet info from your phone (either via malware or acquiring your phone).
- They contact the owner of the phone claiming to be from one of the stores that is listed in the plain text Google Wallet transaction history.
- They tell the owner of the phone that their records show that your Google Wallet was charged <insert excessive amount here by moving the decimal two places to the right> and surely that amount is not correct.
- They blame the error on the new payment technology (e.g., "they still haven't worked all the bugs out", etc).
- The remind the owner of the phone to pay close attention to their next statement just in case this happened with any other retailer.
- They tell the owner of the phone that they need the CC# and CCV to issue the credit because "they don't store that information for security reasons".
- If they've played their role correctly the owner of the phone may provide the requested information.
Re: (Score:2)
You could play out that entire scenario without the Google Wallet info. Look up the phone number from some random person in the phone book, call them, and say "Good morning Mr. Smith, I'm with your bank's fraud unit, and we saw a large transaction on your Mastercard and wanted to verify that it is legitimate..." Sure, it might be a little more convincing if you knew the last 4 digits of the card and info about an actual transaction, but that just bumps up your probability of success a bit.
Re: (Score:2)
Pretending to be the bank out of the blue is going to raise more eyebrows than pretending to be the store the dude went to the day before, especially when the caller can substantiate his claim by citing what the user bought there.
Re: (Score:2)
Re: (Score:2)
"I"m at work right now, and my credit card is at home, can I get your phone number so that I can call you back with that information once I get it? Thanks."
Re: (Score:3, Insightful)
Phone call:
" hi this is the chase anti fraud department. We've noticed some suspicious activity on your account. Can you verify if you initiated the following charges? Oh you did that's great. I just need to verify if you're in possession of your card right now. Can you please read the 16 digits off the front of it for me?"
I wouldn't fall for it. You and most slashdotters probably wouldn't either. But rest assured there are still millions who would. Those same people who go clicking every link they find in
Re: (Score:2)
> It's safe because only someone with root access can access it.
Just like anyone with your wallet can access all of your credit cards.
Re: (Score:2)
Yes, anyone can call and say they're a bank. And they might know your name, which shouldn't be enough to authenticate, but a few people here and there will fall for it anyways. There's no helping them.
But if someone calls with your name, knows transactions that you've recently made, and has other identifying information (including your credit limit. That way, once they determine your card is "safe" they can offer to raise your limit from XXX (which they know) to YYY (a made up number). Of course that won't
Re:Stupid headline (Score:5, Insightful)
If I have your mobile phone with access why would I bother trying to get to your creditcard when I can get pretty much anything I want - it has access to E-mail, SMS, friends and family.
I could just try and grab all your passwords, getting to your online email client before you do I can probably change settings enough for you to be unable to quickly recover anything. From that point I can start initiating scam mails at your friends and family.
Having a credit card number is only useful for a limited time; having access to all your personal data will enable an attacker to keep stealing.
Re: (Score:2)
Its actually a bit worse than this. It gives a bonafide target for a trojan.
Re: (Score:2)
Re:Stupid headline (Score:5, Informative)
Also it cites the PCI standard, but that applies only to a full credit card number that has been transmitted already.
In this case, it only keeps the 4 digits of the card number and the expiration date in plain text on your own phone. It's not bad compared to a regular wallet that will keep the full credit card number, the expiration date, the full name, and the verification code as well, all written in plain text on some flat piece of plastic.
Re:Stupid headline (Score:4, Insightful)
Oh, so this is on a users phone? (Yea I didn't read FTA).
If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.
Re: (Score:2)
This 'social engineering' attack requires root on the user's phone as well by the way. A lot of effort just to get someone's credit card number.
Re: (Score:3)
Oh, so this is on a users phone? (Yea I didn't read FTA).
If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.
Root access is also required for this attack. Without root, a person with your phone can't get the unencrypted data. Rooting the phone via normal means (i.e. not exploiting some other security defect) will wipe the data.
Re: (Score:3)
On your laptop, if someone steals it while it's turned off, they can do anything they want, including becoming root, and they still don't get to read any of the files in your home directory without the [LUKS|truecrypt|whatever_you're_using] decryption key. Having both root and physical access isn't enough unless they manage to get the system while it's already up.
"Invoking the methods used for decryption" is poi
Re: (Score:3)
The plain text stored passwords and the card details are not really comparable.
The plain text passwords for certain services have to be unlocked at boot to make these services function, they have to be kept open for background use even the phone interface might be locked (just like the home dir). The card details can be kept encrypted at all times except when actually being used, which should always happen interactively.
Re: (Score:2)
Oh, so this is another "google is evil!" non-story that the editors didn't bother to fact-check, but is good for driving page hits.
This never happened before Taco left.
Re: (Score:3)
[data] such as a cardholder's name, transaction dates, email address, and account balance
Maybe enough for social engineering, probably not.
Why is it a stupid headline? (Score:2)
I'm confused because you don't explain why "Stores Card Data In Plain Text" is a stupid headline. The statement you apparently cited as evidence restates that the data is stored in plain text and therefore may be vulnerable to social engineering attacks. Are you suggesting the headline is somehow contradictory to that? I mean, they both say that the data is stored in plain text, so what exactly is stupid about the headline?
Re: (Score:3, Informative)
The headline merely says the data is stored in plain text, which is true. There is no further implication made.
It should say "Stores Some Card & Transaction Data In Plain Text".
The headline was provocative and misleading because Google Wallet does not store the card number or CCV in plain text, both of which are considered the most important elements of card data.
This type of plain text data storage - even if it is just exp date, transaction dates & amounts, etc - is irresponsible, but TFA also said they needed to root the phone and get past Android security and Google security layers. Of course, if some
Bitcoin is more secure than ACH (Score:3, Funny)
Re: (Score:2)
... It is the strongest computer in the world...
I'm scared of this.
Re: (Score:2)
Re:Bitcoin is more secure than ACH (Score:4, Insightful)
Re: (Score:3)
Because the common person doesn't know anything about Bitcoin, hence there's no trust. Trust is of paramount importance in any monetary system.
No kidding. (Score:5, Insightful)
viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.
Correct me if I'm wrong, but isn't social engineering the art of tricking people into giving information or access they wouldn't normally? If the security is breached through human gullibility I don't see what method of storing the data is going to protect against that, unless it's storing it where nobody but PCs have access to it and no humans have access to said PC's.
I can socially engineer the card holder to give me their card info and you can't encrypt against that.
Re:No kidding. (Score:4, Insightful)
I think the point being that if you can trick someone into giving you a file that they don't know contains their credit card number in plain text, unlike giving you the card number directly, they don't even know what you have.
Re: (Score:2)
Except that the plain-text file contains only the last 4 digits of the CC info, fully missing the other 12 digits. Hell, almost every bill auto-pay system I use regularly sends me an email containing my CC's last 4-digits. But otherwise, yeah, exactly like you describe.
Here's one of my CC numbers: xxxx-xxxx-xxxx-2932. Have fun with it.
Re:No kidding. (Score:5, Insightful)
Re: (Score:2)
I think the point was that it makes it easier to pull off the "social engineering" if you have access to information only privileged parties should have. They should still be encrypting the locally stored data, and it's just lazy not to.
Encrypt it with what key?
This attack already requires a rooted phone. If the attacker has your phone, and has rooted it, then he has access to any key stored on the phone.
The key could be derived from your PIN, but that's four digits. How long does it take to brute force search 10^4 possibilities? Milliseconds. This would be a ciphertext-only attack, so the the attacker would need to be able to recognize the correct plaintext. If all of the potentially-sensitive data were encrypted, picking the cor
Re: (Score:2)
Yes, that's it. I don't understand why would you want to encrypt anything unless you have passphrase support for it, or some other form of secret that makes the encryption do something. If you don't protect the key with a secret, the encryption is no longer an encryption.
Unless you have your phone ask you for a very long passphrase, any encryption is pointless. So you have only three options:
1) Use an encrypted key chain or better full disk encryption with a really long passphrase which is incredibly inconv
Re: (Score:2)
(Disclaimer: I work for Google, and part of my work is related to Wallet, but I have carefully restricted my comments to exactly what I would have said based on the knowledge I had before joining Google.)
Partitioning your knowledge like this is an interesting and valuable skill. Did they teach you this before or after teaching you the secret of levitation?
Re: (Score:2)
(Disclaimer: I work for Google, and part of my work is related to Wallet, but I have carefully restricted my comments to exactly what I would have said based on the knowledge I had before joining Google.)
Partitioning your knowledge like this is an interesting and valuable skill. Did they teach you this before or after teaching you the secret of levitation?
It's not that hard. I just thought about what I would have said if presented with this same story a year ago. Since I was actively thinking and discussing such things at that time, it wasn't difficult.
Re:No kidding. (Score:5, Insightful)
You are only seeing the little picture. The idea is that if someone can get ahold of this data (like say they snatch your phone) then they can use that data to trick you into believing that they are someone trustworthy, like a rep at your bank.
For example, they get your payment transaction history and then they call you up - tell you your transaction history as a means of authenticating themselves as someone who works for your bank and then get you to disclose your online banking username and password, at which point they empty your entire savings account.
Re: (Score:2, Insightful)
Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up about your Google Wallet account?
Credit card transaction data is not that hard to get by just going through someone's trash too. This isn't really a new problem.
Re:No kidding. (Score:5, Funny)
That'd be a really cool trick.
Re: (Score:3)
You shouldn't trust they are who they say they are if they call you anyway. Lots of people throw out old bank statements without shredding them, and even if they did with their bank statements collecting enough random receipts all paid with the same debit card would give you enough transactions for a time period to make you sounds official. You should request to call the bank back about the matter and then dial them yourself -- from a known general customer service number for the institution, not a direct n
Re: (Score:2)
You would think businesses would encourage this. Here in Canada, we have a phone company, Bell Canada, which states on their web site that reputable businesses won't call you and ask for credit card information. Yet, one time I forgot to pay my bill and they called up and asked for my credit card information over the phone. It sounded very legitimate. I asked to talk to the manager and they directed me towards another person who apparently didn't see anything wrong with the practice.
It is businesses lik
Re: (Score:2)
Indeed, but if someone steals your phone and it isn't protected they probably have a lot more information than what is being described here. The information stored is about the same as you might find on an ATM receipt with the addition of the expiration date. All of which I can probably get from your e-mail/facebook/sms/etc
Re:No kidding. (Score:5, Funny)
It all depends on your definition of social engineering. I find the best results come with a $5 wrench and a few minutes in an alley. People become very cooperative to anything you ask for.
Re: (Score:2)
Well, I see your low ID and can only conclude that you have been cryogenically frozen and have just been woken up. I feel I should tell you that a wrench that will be in any way menacing costs more than $5 these days.
Re: (Score:2)
I know you're going for the joke, but from a serious aspect (here come the "whoosh" replies) that is lousy SE because the victim knows what you're doing. Unless you kill or incapacitate them, then after you leave they're going to call cops, cancel cards, etc. Good SE requires the victim not know they were attacked. You can't do that with a wrench.
I guess this is getting to be an automatic button with me. Every time someone brings up crypto, someone else brings up the wrench, and it's almost always wrong
Re: (Score:2)
"Hey man, could I borrow your phone for a sec to call home? Mine ran out of battery."
More like "Hey man, could I borrow your phone for an hour, hook it up to my computer, use an exploit to root it without wiping it and then go rummaging around in the contained SQLite databases?"
Okay, the attacker obviously wouldn't ask that. But this requires far more than borrowing a phone "for a sec" to make a phone call.
Nothing to see here, move along... (Score:5, Informative)
It stores the last 4 digits of the credit card, so you know which card was used in your google wallet. My telephone company does this, as does paypal if I remember correctly. Whilst it may not be stored easily in plain view of anyone, I think someone breaking into either of those accounts would be more likely than someone first stealing my phone, rooting it then access the sqlite DB.
To be honest, I am more afraid of my local 7/11 employee who swipes my credit card every day in plain view when I buy milk, newspaper and mamma noodles. I think even some POS systems display the card number on their terminal screen!
These days, I think most credit cards have secondary verification systems in place so even if someone did get my card number, it would be very difficult to use. I already have a hard enough time booking airline tickets online and trying to remember what my Verified by Visa password is. Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.
Re: (Score:2)
You are not required to hide the first 6 digits or the last 4. That part of the card is not "sensitive"
Re: (Score:2)
Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.
I think what you're referring to is that Verizon has refused to allow Google Wallet on the new Galaxy Nexus, and has used this as part of their justification. However, it seems more likely that their real concern with Google Wallet is that they're part of a consortium (ISIS) which is developing a competitor to Google Wallet. Verizon wants to be able to rent space on the secure elements in the phones on their network. They figure credit card issuers and others will pay for the right to get their stuff ins
Social Engineering (Score:5, Funny)
Caller: Hi, I'm calling from... er... Google... and it says here in this text file that you have a credit card number on file with us. Is that right?
Victim: Yes, that's right.
Caller: Cool. Would you mind giving me that account number so I can verify your identity?
Victim: Let me get my card...
Re: (Score:2)
Re:Social Engineering (Score:4, Insightful)
I think it goes more like this:
Caller: Hi, this is Judy from Visa. We have reason to believe that your credit card number has been stolen, do you have the card in your possession now?
Victim: Yes
Caller: Can you verify that the last 4 digits are 1234?
Victim: Yes, that's my card
Caller: Can you verify the answer to your security question?
Victim: My mother's maiden name is "Cartwright"
Caller: yes, that is correct, thank you for verifying your identify. Our system has detected $17,372 of fraudulent charges on your card. but don't worry Mr Smith, we can immediately block the card and reverse the charges. We'll just need to you read the full 16 digit card number and security code so we can get started.
Many people will fall for the scam - the caller obviously knows the last 4 digits of their card number and their security question. (which, of course they don't, but it sounds like they do), so they must be legit.
Re: (Score:3)
Last 4 digits and issuer are printed on most receipts. Sometimes even the name and expiration date are printed.
Re:Social Engineering (Score:4, Interesting)
They seem quite accommodating. They've done their job by contacting me, and I avoid all social engineering attacks.
Re: (Score:2)
I challenged him to confirm his identity; all he did was reaffirm his claim to be calling from my card provider but without offering any proof beyond that. I refused to proceed, pointing out that I had no
It's the last 4 digits (Score:5, Insightful)
From TFA:
While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database.
The same last 4 digits that are printed on your credit card receipts and show up as plain text on many web sites that store credit cards.
Doesn't seem like a big deal - people should know better than to give their card number to someone that has the last 4 digits of their card number since they could have gotten them anywhere. (or just guessed - send a spam email to 10 million people with a randomly generated 4 digit number, and you'll have guessed right for 1000 of those people.)
Re: (Score:2)
More than that because you would say card ending in xxxx and since people have multiple cards the hit ratio would be a bit higher.
Just more smear campaign against Google (Score:2)
I wonder who financed this "news."
I wonder is biased blogs should be used for "news."
And so? (Score:5, Insightful)
And so what? Your phone must be able to decode the stored data, so it must somehow acquire decryption key.
That means that this decryption key must be transmitted over the network or stored on the device itself. And if it's stored on the device, then the whole encryption scheme is nothing more than complex obfuscation.
Re: (Score:2)
Well, they could possibly encrypt it with your PIN, no? Although since AFAIK most people use 4 digit PINs, it'd take about a second to decrypt it.
Not very clear. (Score:2)
iaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.
This is very, very vague.. Something as simple as a email address could be used for this purpose.
It's not plain data! (Score:2, Funny)
It's rot32 encrypted.
*twice*.
'Cause it's the only way to be sure...
Re: (Score:2, Funny)
rot32 was broken 6 months back. I have moved to rot128 since then. It is 4 times stronger - sure it takes a little more power, but I can sleep well at night now.
Re: (Score:2)
Other Cyrillic scripts? Belarussian, for example, or Russian without "Yo".
For when you are too lazy..... (Score:4, Informative)
to even follow the link and lookup the summary..... here it is:
- A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.
- The name on the card, the expiration date, last 4 card digits and email account are all recoverable
- [Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.
- The Google Analytic tracking provides insights into the Google Wallet activity. While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)
- [Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits). While this is not enough to use a card, it’s likely enough to launch a social engineering attack.
So it is as safe as anything else you use to pay stuff!
Shit... it is easier to just swipe someone's credit card bill! ^^
Same as a sales receipt (Score:2)
FTFA: "While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database."
Sheesh, big deal about nothing. You know how many gasoline sales receipts end up in the garbage can next to the automated upmp.
You know what else store CC numbers in cleartext? (Score:5, Insightful)
My credit card.
I'm going to steal someone's phone to get their credit card number? Why not take their wallet?
Re: (Score:2)
I would assume the concern is more with malware harvesting the info from thousands of phones via some security hole, rather than someone stealing phones one at a time.
Re: (Score:2)
Isn't that the important part? If someone steals my phone (which is encrypted btw - galaxy nexus ftw) they're going to have an easier time just grabbing my wallet to make fraudulent charges.
I'm not defending Google but... (Score:5, Informative)
...I do work in security for a telecoms product manufacturer and maintainer and there are a HUGE number of companies out there that store credit card data in plain text.
However, you cannot just look at that one particular issue to make a determination as to whether or not the data is secure - it's also about how the system on which that data is stored is isolated from the real world, what firewalling and access controls are in place to restrict who can get to that data, whether or not they update the systems regularly, etc. etc.
This is NOT a security exploit, there's no report of any security hole that makes that data available to the rest of the world, unlike what happened to Sony - so some prespective needs to be put on this.
Any wise company conducts regular Risk Assessments on their infrastructure to determine what potential security risks exists, how big those risks are and how much it will cost to fix it. In this particular case, it might be that using encrypted credit card information might entail having to upgrade very expensive applications to a later version, all of which will factor into the cost of fixing the issue. If Google has determined that the risk of an outside party getting to that data is extremely low, then they may not consider it worth the expense of the upgrade.
Every company will do this, even Apple and Microsoft, and many of them do choose to adopt PCI (Payment Card Industry) guidelines on storing this kind of data correctly.
It could be argued that someone stealing a file of encrypted credit card data from a company is a much bigger issue than someone (so far) not being able to steal unencrypted data from a company - so it's always wise to put some perspective around these kinds of statements.
So? (Score:2)
The last 4 digits of your credit card number, that are often printed on your receipts as "plain text" are also stored as plain text by Google Wallet.
So?
Must have more info. (Score:2)
If they have your phone and have gained enough access to gather this information, why don't they just use your phone to empty your accounts? Why bother going through all the trouble to snarf data and social engineer the owner? The article should be more clear on if an installed application other than Google Wallet can access the Sqlite3 file. If that is the case, encrypted or not, it is broken. If that is not the case then they didn't find anything very useful. Who, that is capable of rooting a phone a
Google Wallet? Really? (Score:2)
AFAIK Google is only 1 notch more trustworthy than Facebook. I can't see anyone in their right mind, who isn't rationalizing to accept a convenience, willingly turning over their financial information to either organization.
Re: (Score:3)
So what if it's stored in plaintext on the phone itself? What matters is what's transmitted off of the phone.
I think it matters because if someone's phone is lost or stolen (or infected by malware) they don't want the card number to be stolen.
Re: (Score:2)
Thankfully the CC number isn't stored, only the last four digits.
Re: (Score:2)
If the phone is going to send the credit card number to a nearby device (which is what it's doing with NFC), then it needs to have access to the plaintext credit card number. So the phone can store the CC# encrypted, but it has to be encrypted with a key based on user input (which is generally short) or stored on the phone (which doesn't actually provide substantial security).
Re: (Score:2)
No journalists just google hate blog (Score:2)
And slashdot thinks this is news.
Re: (Score:2)
Well, that's only if you yourself are rooting the device, not a piece of malware using some privilege escalating bug.
But then, if you've got user to install a rootkit, why stop with 4 last digits and transaction history, when you can just leave a logger to sit around and wait for all the account info?
Re: (Score:2)
That would be samzenpus, but it's not like any other Slashdot editor would have done better.