Google Wallet Stores Card Data In Plain Text 213
nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."
Stupid headline (Score:5, Insightful)
"Stores Card Data In Plain Text"
isn't quite the same thing as
"suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"
No kidding. (Score:5, Insightful)
viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.
Correct me if I'm wrong, but isn't social engineering the art of tricking people into giving information or access they wouldn't normally? If the security is breached through human gullibility I don't see what method of storing the data is going to protect against that, unless it's storing it where nobody but PCs have access to it and no humans have access to said PC's.
I can socially engineer the card holder to give me their card info and you can't encrypt against that.
Re:No kidding. (Score:4, Insightful)
I think the point being that if you can trick someone into giving you a file that they don't know contains their credit card number in plain text, unlike giving you the card number directly, they don't even know what you have.
Re:No kidding. (Score:5, Insightful)
Re:No kidding. (Score:5, Insightful)
You are only seeing the little picture. The idea is that if someone can get ahold of this data (like say they snatch your phone) then they can use that data to trick you into believing that they are someone trustworthy, like a rep at your bank.
For example, they get your payment transaction history and then they call you up - tell you your transaction history as a means of authenticating themselves as someone who works for your bank and then get you to disclose your online banking username and password, at which point they empty your entire savings account.
It's the last 4 digits (Score:5, Insightful)
From TFA:
While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database.
The same last 4 digits that are printed on your credit card receipts and show up as plain text on many web sites that store credit cards.
Doesn't seem like a big deal - people should know better than to give their card number to someone that has the last 4 digits of their card number since they could have gotten them anywhere. (or just guessed - send a spam email to 10 million people with a randomly generated 4 digit number, and you'll have guessed right for 1000 of those people.)
And so? (Score:5, Insightful)
And so what? Your phone must be able to decode the stored data, so it must somehow acquire decryption key.
That means that this decryption key must be transmitted over the network or stored on the device itself. And if it's stored on the device, then the whole encryption scheme is nothing more than complex obfuscation.
Re:No kidding. (Score:2, Insightful)
Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up about your Google Wallet account?
Credit card transaction data is not that hard to get by just going through someone's trash too. This isn't really a new problem.
Re:Social Engineering (Score:4, Insightful)
I think it goes more like this:
Caller: Hi, this is Judy from Visa. We have reason to believe that your credit card number has been stolen, do you have the card in your possession now?
Victim: Yes
Caller: Can you verify that the last 4 digits are 1234?
Victim: Yes, that's my card
Caller: Can you verify the answer to your security question?
Victim: My mother's maiden name is "Cartwright"
Caller: yes, that is correct, thank you for verifying your identify. Our system has detected $17,372 of fraudulent charges on your card. but don't worry Mr Smith, we can immediately block the card and reverse the charges. We'll just need to you read the full 16 digit card number and security code so we can get started.
Many people will fall for the scam - the caller obviously knows the last 4 digits of their card number and their security question. (which, of course they don't, but it sounds like they do), so they must be legit.
Re:Stupid headline (Score:4, Insightful)
Oh, so this is on a users phone? (Yea I didn't read FTA).
If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.
Re:No kidding. (Score:1, Insightful)
I can socially engineer the card holder to give me their card info and you can't encrypt against that.
Compare:
"Hey man, could I borrow your phone for a sec to call home? Mine ran out of battery."
"Hey man, could I see your credit card for a sec? (Mine ran out of money...)"
It's easier to agree to the first one.
Re:Stupid headline (Score:4, Insightful)
I'm curious as to what social engineering technique could be used to find a card number? I have never seen a website that will reveal credit card info as anything other than **** **** **** 1234, nor have I ever heard of a bank that will give out your number over the phone. The only thing they ever do is post you out a new card and disable the current one.
Seriously, phone up your bank and say "Hey it's Mr Smith here, I left home without my card today and I absolutely must buy this cute thingymabob on the internet, I know the last 4 digits are 1234 but that's it - could you help a brother out?" and see what happens. Then there's the CVN which shouldn't be stored in ANY payment system - except maybe the card authenticator themselves (i.e. Visa/Mastercard).
You know what else store CC numbers in cleartext? (Score:5, Insightful)
My credit card.
I'm going to steal someone's phone to get their credit card number? Why not take their wallet?
Re:Stupid headline (Score:5, Insightful)
If I have your mobile phone with access why would I bother trying to get to your creditcard when I can get pretty much anything I want - it has access to E-mail, SMS, friends and family.
I could just try and grab all your passwords, getting to your online email client before you do I can probably change settings enough for you to be unable to quickly recover anything. From that point I can start initiating scam mails at your friends and family.
Having a credit card number is only useful for a limited time; having access to all your personal data will enable an attacker to keep stealing.
Re:Bitcoin is more secure than ACH (Score:4, Insightful)
Re:Stupid headline (Score:5, Insightful)
I'm curious as to what social engineering technique could be used to find a card number?
The target is not the bank or credit card company - it is the owner of the phone ... and remember, it doesn't have to work often (or on /.ers):
- Someone with malicious intent gets your Google Wallet info from your phone (either via malware or acquiring your phone).
- They contact the owner of the phone claiming to be from one of the stores that is listed in the plain text Google Wallet transaction history.
- They tell the owner of the phone that their records show that your Google Wallet was charged <insert excessive amount here by moving the decimal two places to the right> and surely that amount is not correct.
- They blame the error on the new payment technology (e.g., "they still haven't worked all the bugs out", etc).
- The remind the owner of the phone to pay close attention to their next statement just in case this happened with any other retailer.
- They tell the owner of the phone that they need the CC# and CCV to issue the credit because "they don't store that information for security reasons".
- If they've played their role correctly the owner of the phone may provide the requested information.
Re:Stupid headline (Score:3, Insightful)
Phone call:
" hi this is the chase anti fraud department. We've noticed some suspicious activity on your account. Can you verify if you initiated the following charges? Oh you did that's great. I just need to verify if you're in possession of your card right now. Can you please read the 16 digits off the front of it for me?"
I wouldn't fall for it. You and most slashdotters probably wouldn't either. But rest assured there are still millions who would. Those same people who go clicking every link they find in their emails, I'm sure a few of them would succumb to this sort of attack. Letting the their get enough information about you so that they can sound like the should have this info is a bad thing.
I'll jump on the band wagon that says this is incredibly irresponsible. Especially if it's tri that the program is x"protected by a PIN". The developers recognized that the program stores and accesses vital data, but didn't take the next step of insuring access too all of its data would be blocked without that pin.
Oh that's right. It's safe because only someone with root access can access it. Even though rooting an android phone is hardly rocket science. (that last statement is conjecture since I no longer use an android)
The storage is PCI-compliant, based on the article (Score:4, Insightful)
Actually even if PCI does apply to the mobile app, based on the article the storage does meet the PCI storage guidelines, which are not as stringent as you might imagine. PCI actually does not require encryption of the credit card number as long as it is truncated to the last 4 digits. And cardholder name and expiration date may be plain text. This is explained on p. 8 of the PCI-DSS v2.0 spec, and in Requirement 3.4.
That said, the plain-text storage is incredibly stupid, and any payment apps on a phone should go above and beyond PCI requirements. And apart from the storage, the rest of the data path needs to be examined to look for other unencrypted links.
Re:Not tooo worried about this one (Score:5, Insightful)
But the apps' SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates -- information that viaForensics says could be used, for example, as a way to social-engineer the actual credit-card account from the cardholder.
That is just bad security from so large company that is trying to get everyone to use their mobile payment platform. You really shouldn't give them a pass on this just because they're Google. They need to be held to same security standards as everyone else.