Forgot your password?
typodupeerror
Google Security Technology

After Rewrites, Google Wallet Still Has Holes 82

Posted by samzenpus
from the leaking-like-a-sieve dept.
itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."
This discussion has been archived. No new comments can be posted.

After Rewrites, Google Wallet Still Has Holes

Comments Filter:
  • Paywall? (Score:3, Informative)

    by Anonymous Coward on Friday February 10, 2012 @01:41PM (#38996957)

    I think it should be noted that the report is behind a paywall.

  • You don't even need a secure area on the smart phone. You could put a thumbprint reader on the phone, then generate a hash from the thumbprint, then use that hash to generate a public/private key pair, then encrypt the credit card details with the details with the public key. The phone would never have to store the private key at all. That is just one of many ideas that would help make this secure. Among others: 1. Require a thumbprint *and* a PIN code 2. Have a uber-long password to reset things in case
    • by dgatwood (11270)

      Do you know how easy it is to lift a thumb print? Or how unlikely it is that you would generate the same key from that print reproducibly? Biometrics are less than useless for security purposes because they cannot readily be changed, but can be readily stolen.

      The only hardware feature that actually increases security usefully is the use of devices like CryptoCard/SecurID tokens—non-networked devices that produce a different (but predictable) number each time. Unfortunately, it only helps if the bad

      • by AJH16 (940784)

        It's more accurate to say real security is impossible. If someone really wants to get at you, they will. Security is all about making it easier to get the next guy so it isn't worth the effort.

        • by dgatwood (11270)

          And any security measure, once deployed broadly enough, becomes very nearly useless at achieving that goal. Indeed, the only reason passwords aren't basically useless is that users can choose arbitrarily long passwords, up to the limit of their memory, which means that they aren't deployed evenly....

          When additional security is deployed broadly and evenly, the only thing it really does is raise the minimum level of knowledge required to break the system. Depending on the level of cooperation among thieves,

      • by tlhIngan (30335)

        Do you know how easy it is to lift a thumb print?

        On the old 2D sensors, maybe. But modern fingerprint sensors are 1D - they contain a sensor that scans as the user swipes the finger over the sensor. It makes it much harder to lift a fingerprint from (the fingerprint is wiped as it's read), as well as making the sensor MUCH smaller - something that can fit on a smartphone without consuming too much space.

        Modern fingerprint sensors you find on computers are already the swipe kind. You'd have better luck lifti

        • by dgatwood (11270)

          Who said anything about lifting the print from the sensor? The owner has been holding the phone. There are bound to be full sets of prints all over it.... Not to mention that glass at the bar, the steering wheel, the door handle....

    • by AJH16 (940784)

      Um, I don't think things work the way you think they do. With respect, you do not understand what you are talking about and are in significantly over your head. Thumb prints don't give a definitive hash, it's more like a quasi-match that looks close enough. Every scan of your finger print looks different and has to be analyzed so you couldn't reproduce the same hash later. Even if it could make a uniform cache, using asymmetric crypto in this case makes no sense at all. Asymmetric is inherently and sub

      • by AJH16 (940784)

        Oh, and if what you are thinking with asymmetric crypto is to do a bitcoin like thing where the merchant would have to hand the receipt to be digitally signed and then send it in to the merchant bank, they would still need to know which bank to send it to and which account it is associated with. The account information would still have to be transmitted in the encrypted communication, the signing would simply help ensure that a vendor doesn't try to charge things that they are not authorized to charge. Th

    • by nahdude812 (88157) *

      then generate a hash from the thumbprint

      Consistent hashes require consistent input, and fingerprints are not that. Fingerprint readers are designed with an error tolerance because fingerprint scans are inconsistent. They can't be used to secure data, only to instruct software it's ok to grant access to something the software has the capacity to access anyway.

    • by mrmeval (662166)

      I'm sure others will rip this to shreds. Google isn't about your security they're about tracking every fucking thing you do. They made Android open so they could get it on more phones. It was not designed with security in mind. Their app was not designed well as a good security design does not fit their track every fucking thing you do paradigm. Since there is an alleged standard for them to live down to Google won't have to design a truly secure app, just one that meets the standard.

      Real security is hard.

  • by walterbyrd (182728) on Friday February 10, 2012 @02:06PM (#38997215)

    Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

    I have used google wallet, and I have used paypal. Paypal is *far* superior.

    I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.

    Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      You know Google's failing badly on a project when PayPal has a better product.

    • by mackil (668039)

      Their wallet, checkout, or whatever really does suck.

      As a merchant, I've found Google Checkout to be quite useful. It's API has more features than Paypal's, and it's Order Processing interface is far superior to any other I've used. It allows me to send multiple tracking numbers to a customer, which Paypal STILL does not allow. Searching and archiving is far easier in Checkout. And don't forget about speed. Paypal's site is abysmally slow, while Checkout is lighting quick in just about every function. Generating reports is immediate, while Paypal makes you wa

    • Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

      I have used google wallet, and I have used paypal. Paypal is *far* superior.

      No, you haven't used Google Wallet. You've used Google Checkout. Those two are not the same (not yet anyway).

      Google Wallet is an NFC-enabled application (NFC means Near Field Communication). It allows you to tap your phone and pay at the check out counter at a few chain stores. Google Wallet currently requires an Android NFC phone (which represents less than 2% of the install base of Android devices in the US).

      Thus far in the US, only the Nexus S, the Galaxy Nexus, and the HTC Amaze support NFC, but it won'

  • You would think that Google has enough money and perks to hire a few really good IT security experts. Apparently they do not have the corporate culture to do so. Pathetic.

    • No you're quite wrong there -- they can and ostensibly do hire some really great people (security included). They also hire absolute chaff a lot of the time, but neither of those have anything to do with why wallet and such suck.

      They aren't ads, and they aren't search. Google only actually cares about the stuff that makes them money, or the stuff that could make them money. They've already botched wallet and checkout, just like gTalk the launch was awful in a crowded market and the product is a failure beca

      • by gweihir (88907)

        So they have managed to turn themselves into a standard greedy cooperation? No surprise here. Makes sense to me.

  • Google has been experimenting with so many things lately. They are fiddling with self-driven cars, trying to get into home entertainment system , cell phone business etc. I have been a big fan of google, but lately I have been issues with a lot of their products. This is mostly maintainence stuff but it annoys me, especially considering that the products were good and easy to use in the beginning such that I switched to using google stuff for a lot of my day to day activities; Gmail has become slower and e
  • Not cool at all, product fail.
  • Requires root (Score:5, Interesting)

    by swillden (191260) <shawn-ds@willden.org> on Friday February 10, 2012 @02:53PM (#38997689) Homepage Journal

    The key thing to keep in mind about the various Google Wallet deficiencies is that they all require the attacker to get your phone and root it... and he still has less information about and/or ability to use your card than if he'd gotten your credit card. That's not to say that the Wallet issues don't need to be addressed, but it does mean that carrying your credit card in your phone is more secure than carrying your credit card in your wallet.

    Bottom line: Google Wallet security isn't as good as it could be, but it's still better than plastic.

    Oh, I guess there is one way plastic might be more secure... the phone conducts transactions via RF, so there's still the possibility of someone doing a payment transaction with your phone while it's in your pocket, without your knowledge. Google Wallet addresses that risk in three ways. First, NFC is very short range. 1-2 centimeters with off-the-shelf equipment, perhaps 10 cm in the lab. Second, if your screen is turned off, the NFC payment is disabled. Third, if you haven't entered you PIN in the last few minutes (15?), NFC payment is disabled. In addition, all of the normal credit card risk management infrastructure is still in place, as well as the legal limitations on your liability.

    Honestly, the biggest problem with Google Wallet isn't security, it's acceptance. Unless you want to eat at McDonald's a lot, it's fairly difficult to find merchants who can accept it.

    • by JStyle (833234)
      Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic [gizmodo.com]

      However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).
      • by swillden (191260)

        Ah... I didn't realize that had been published. I really wasn't trying to hide it, but as a Google employee I have to be circumspect about things that aren't yet public.

        As the Gizmodo article mentions, Google is working on a fix for this which address this issue. In case it's not clear from the article this only affect Google Prepaid card balances. If you've put your Citibank MasterCard in Google Wallet an attacker can't gain access to it. Adding a "real" card requires typing in the card number. It's

      • by swillden (191260)

        Oh, and I should also have said: Still more secure than plastic. Especially if you use the lock screen.

      • by swillden (191260)

        Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic [gizmodo.com] However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

        BTW, to address this Google has temporarily disabled re-provisioning of Prepaid cards. If you or someone else erases your Google Wallet configuration and then attempts to re-configure it, you will not be able to get your Prepaid card back. Currently-provisioned devices will work as they should, meaning you can add and spend value at will, and new devices that have never been provisioned can be provisioned and will work properly, but any device that once had a Google Prepaid card added to it and then was s

    • by bhcompy (1877290)
      So you suggest I voluntarily give my credit card information to Google? No, I'll pass. I trust Yahoo more than I trust Google with my personal information, as Google has made it very explicit what they demand from their users recently.

      Little tinfoil hattish, I agree, but meh. Datamining is the primary goal, and from the wardriving we know that personal data privacy be damned.
      • by swillden (191260)

        So you suggest I voluntarily give my credit card information to Google?

        Well, if you use Android and buy apps from the Android Market, or buy stuff with Google Books, or through Google Checkout (recently renamed Wallet), or use the paid developer APIs, or... you already have. Google, like any other large on-line seller, routinely manages tens of millions of customer credit card numbers, and has been doing so for years. Google is PCI compliant, and actually goes far beyond PCI requirements in terms of the security precautions it takes. That's the area I work on most of the ti

  • I couldn't care less about nitpicking about how they store it internally. What is a real problem though, that after I buy something using it (from my PC, mind you), 3rd party programs on my Samsung Galaxy Tab suddenly gain rights to charge me, WITHOUT ASKING my password! (brilliant idea, dear Google) Bum, and you've just purchased non-refundable "5000 Happy Stars" for "Sheeps & Clouds" game for mere 7.99 Euro. How on Earth, after the story with Apple losing the case for remembering password for 15 min
    • by Anonymous Coward

      You should probably put a PIN on your market account, and / or not let your kids know your PIN.

      I got burned once when I trusted my 7 y.o. cousin to play with my phone. Proud owner of a few jewels in some game, and a new app.

      It *ALWAYS* asks the PIN whenever you make a purchase through the market; there's no timeout.

After an instrument has been assembled, extra components will be found on the bench.

Working...