Google Wallet Stores Card Data In Plain Text 213
nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."
Not tooo worried about this one (Score:4, Informative)
Nothing to see here, move along... (Score:5, Informative)
It stores the last 4 digits of the credit card, so you know which card was used in your google wallet. My telephone company does this, as does paypal if I remember correctly. Whilst it may not be stored easily in plain view of anyone, I think someone breaking into either of those accounts would be more likely than someone first stealing my phone, rooting it then access the sqlite DB.
To be honest, I am more afraid of my local 7/11 employee who swipes my credit card every day in plain view when I buy milk, newspaper and mamma noodles. I think even some POS systems display the card number on their terminal screen!
These days, I think most credit cards have secondary verification systems in place so even if someone did get my card number, it would be very difficult to use. I already have a hard enough time booking airline tickets online and trying to remember what my Verified by Visa password is. Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.
Re:Stupid headline (Score:2, Informative)
RTFL: "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext."
Re:Stupid headline (Score:5, Informative)
Neither statement is completely clear, but as I see it Google Wallet is storing (some) data about the card in plain text, which may be enough for anyone that discovers it to obtain further details about that person and their card from the financial institution via social engineering.
To me this means if you lose your phone, it may have enough information on it to enable the finder to then get your credit card details through social engineering.
Re:Stupid headline (Score:5, Informative)
Also it cites the PCI standard, but that applies only to a full credit card number that has been transmitted already.
In this case, it only keeps the 4 digits of the card number and the expiration date in plain text on your own phone. It's not bad compared to a regular wallet that will keep the full credit card number, the expiration date, the full name, and the verification code as well, all written in plain text on some flat piece of plastic.
For when you are too lazy..... (Score:4, Informative)
to even follow the link and lookup the summary..... here it is:
- A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.
- The name on the card, the expiration date, last 4 card digits and email account are all recoverable
- [Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.
- The Google Analytic tracking provides insights into the Google Wallet activity. While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)
- [Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits). While this is not enough to use a card, it’s likely enough to launch a social engineering attack.
So it is as safe as anything else you use to pay stuff!
Shit... it is easier to just swipe someone's credit card bill! ^^
Re:Not tooo worried about this one (Score:3, Informative)
Sure, mr. Apple Fan, storing the same last 4 digits that are printed on every receipt is a security nightmare. Google is EEEEVIL. EEEEEVIL, I tell you!
"Way to spin it" is what article summary and headline do.
Re:Not tooo worried about this one (Score:5, Informative)
However, it is worth noting that even if they ignore all of the best practices, they are probably technically in the clear right now. Mobile Applications are currently exempted from PCI and PA enforcement pending an update to the rules. As they are currently written, they acknowledge that they were not designed with mobile devices in mind. Mobile payment application developers are encouraged to follow the general guidelines of PCI, but they are somewhat left to their best judgement.
Re:Not tooo worried about this one (Score:5, Informative)
The passwords were *cough* hashed. I suppose that's a kind of plain text.
I'm not defending Google but... (Score:5, Informative)
...I do work in security for a telecoms product manufacturer and maintainer and there are a HUGE number of companies out there that store credit card data in plain text.
However, you cannot just look at that one particular issue to make a determination as to whether or not the data is secure - it's also about how the system on which that data is stored is isolated from the real world, what firewalling and access controls are in place to restrict who can get to that data, whether or not they update the systems regularly, etc. etc.
This is NOT a security exploit, there's no report of any security hole that makes that data available to the rest of the world, unlike what happened to Sony - so some prespective needs to be put on this.
Any wise company conducts regular Risk Assessments on their infrastructure to determine what potential security risks exists, how big those risks are and how much it will cost to fix it. In this particular case, it might be that using encrypted credit card information might entail having to upgrade very expensive applications to a later version, all of which will factor into the cost of fixing the issue. If Google has determined that the risk of an outside party getting to that data is extremely low, then they may not consider it worth the expense of the upgrade.
Every company will do this, even Apple and Microsoft, and many of them do choose to adopt PCI (Payment Card Industry) guidelines on storing this kind of data correctly.
It could be argued that someone stealing a file of encrypted credit card data from a company is a much bigger issue than someone (so far) not being able to steal unencrypted data from a company - so it's always wise to put some perspective around these kinds of statements.
Re:Why is it a stupid headline? (Score:3, Informative)
The headline merely says the data is stored in plain text, which is true. There is no further implication made.
It should say "Stores Some Card & Transaction Data In Plain Text".
The headline was provocative and misleading because Google Wallet does not store the card number or CCV in plain text, both of which are considered the most important elements of card data.
This type of plain text data storage - even if it is just exp date, transaction dates & amounts, etc - is irresponsible, but TFA also said they needed to root the phone and get past Android security and Google security layers. Of course, if someone targets this data via malware that uses an exploit allowing root access then we're talking a whole different kettle of fish.
Re:Not tooo worried about this one (Score:0, Informative)
My bank stores my password in plain text. It's clearly not even hashed as they only need (eg) the third and fifth characters to give me access. I queried this with them and the person couldn't understand what I meant, and I wasn't allowed to talk to anyone who might understand for "security reasons". Interesting policy.
No, you're not allowed to talk to anyone who might understand because you're an idiot and don't understand security.
Whatever hashing/salting/encrypting technique that can be used safely store passwords can be repeated to safely store individual characters instead.