After Rewrites, Google Wallet Still Has Holes 82
itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."
Re:Slashdot is dead (Score:4, Insightful)
If you don't like it, why are you still here? I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site and the commentary is pretty good if you ignore all of the morons like you. The ability to form your own opinion and present it in a non-troll-like manner still seems to be valued here by a decent majority even if it goes against the prevailing bias.
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:1, Offtopic)
Seconded. The news is available from many sources, and is usually not all that new by the time it hits the /. front page. If one wants breaking news, /. is not the site to use as a primary source. It's the (oft maligned) /. community that is the real attraction here. Just tweak the hidden/abbreviated thresholds to a comfortable setting (2/3 when not moderating, personally) and much of the noise that people complain about is filtered, and what remains is usually of sufficient quality to inform, entertain
Re:Slashdot is dead (Score:4, Insightful)
You only get pro-Google
At least paste your tripe in an article that's actually pro google nitwit.
Re: (Score:1, Offtopic)
You only get pro-Google
At least paste your tripe in an article that's actually pro google nitwit.
It's funnier this way. It makes it clear that, no matter how good Google is at autonomous vehicle driving, they still have a way to go with chatbots.
To make a autonomous vehicle analogy, it just ran a red light.
Bullshit (Score:2, Insightful)
It's actually just the opposite.
Slashdot publishes google smear stories practically everyday. Including stories with very little credibility, i.e. stories from personal blogs etc.
Re:Slashdot is dead (Score:5, Informative)
This is going to be one of those moments where I wonder why I bothered, but...
Yes, Google was investigated for the wifi data collection. The FTC investigated, and determined that nothing had been done intentionally, and Google agreed to improve their privacy policies accordingly. You can read that here [softpedia.com], should you choose to actually know what's going on.
Yes, Google required real names on G+, and used it as an 'identity service'. What I fail to understand is how that differs than every website in the cosmos requiring me to log in via Facebook. It sucks, but they all do it.
Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used) to fund development of a free phone OS no one is required to use. People use it because it works. If Microsoft had provided a browser, but not bundled it in, but given it away for free, there would have been no case against them, just like there isn't against Google now. You aren't required to use Android, there are other options, and you aren't handed a free phone when you visit their search page.
Yes, they injected G+ results in their search results. They did NOT however block results from anyone else like Twitter or Facebook from appearing. They were still in the results. Were G+ results returned with higher rankings? I don't know, never turned that on, and never used G+. Because of that, I never got back search results relating to G+ at all, and as far as I know you can still turn that off, so you don't get them either. I can see why Twitter and the others were butt-hurt about this, it cuts directly into THEIR money, but why are you? Don't like it, SWITCH IT OFF. It hardly constitutes evil to allow you to opt out of something.
Yes, Apple surpassed Android in market share at the end of the year, primarily due to them releasing a new phone. If you want reporting on how the front runner changes every 12 seconds, I am sure there are places for that, but I personally don't care to read how a new vendor 'owns' a half a percent higher share of the market every single day. The first time someone passes the front runner its news. The 27th time they change places, it just isn't.
Perhaps you get modded down on posts like these because you engage in name-calling, present a closed-minded position, assume a victimized attitude, lash out with hate, and refuse to present a reasoned, well argued position? Just a thought.
Re: (Score:1)
Re: (Score:2)
Oh for God's sake - this meme is bad as the one that said "Google puts is own financial results above others in its search results!". No. No, it doesn't. What is happening is that space around the actual search results - which, btw, is clearly defined - is used to show other Google products. Furthermore, I'm not sure that Twitter and Facebook have a leg to stand on to claim that they are more relevant than.... well, anything.
The Zdnet story is very simple: Facebook and Twitter want to get a free ride on Go
Re: (Score:1)
I don't really care about Facebook or Twitter's woes. Google has no obligation to promote others' sites any more than Microsoft should be required to distribute Firefox.
What's really bad about this situation is that Google is hurting users by returning (vastly) less relevant results, even when it is aware of a more relevant answer. When they put strategic tie-ins above relevance, they alienate their audience.
Re: (Score:2)
you can't deny Google is forcing their Google+ results where more relevant results should be. or that they dumped android onto the mobile market, forcing webos and Meego out of the market. they offered Google maps API for free, pushing out competitors, and now that they have dominant marketshare they're charging businesses for it.
Re: (Score:2)
actually Google is doing the same thing with voip, pushing others out of the market by subsidizing free calls to the us and canada with Google talk. now they're using Motorola's frand patents to push apple out of the market, although the EU wont allow them to do it.
Re: (Score:1)
Re: (Score:1)
It hardly constitutes evil to allow you to opt out of something.
While I agree with the majority of your post, I think it is evil to require users to opt out. To me that is the same as saying that microsoft wasn't evil to bundle the browser, you could 'opt-out' by deleting it and installing your own browser, after all.
Re: (Score:2)
They had to change their privacy policies so that there was just one single privacy policy. It was basically a re-wording that used 85% less words to tell you the same thing.
There was nothing to really opt out of, but if it rubs you the wrong way just quit using their services.
Re: (Score:2)
It hardly constitutes evil to allow you to opt out of something.
While I agree with the majority of your post, I think it is evil to require users to opt out. To me that is the same as saying that microsoft wasn't evil to bundle the browser, you could 'opt-out' by deleting it and installing your own browser, after all.
All true for the fact that no, you could not delete IE.
Re: (Score:3)
Microsoft wasn't anti-competitive because it was forcing people to use IE to go download FF or whatever and it's a joke the european courts ruled that way. Most peoples response to that article were pretty much indifference with a few anti-MS zealots going another way. The MS bashing on /. have dropped tremendously of recent because apple has been taking a huge part of the marketshare.
You want to know what is anti-competitive? Walled off app markets (Apple/MS), paying major manufacturers to use only your so
Re: (Score:2)
Re: (Score:2)
It isn't "said" at all, when the actual figure is 66% [thehill.com], and I claimed 60 some percent, is it? I also imagine the FTC would have gained much from your insights, and how you 'aren't buying' the accidental thing. I am sure they could have used you during the investigation. I am sure you could explain to them how it was unbelievable that a device designed to record all kinds of telemetry data might accidentally save too much.
Your anecdote about a friend being upset about youtube ad prices was very informative
Re: (Score:1)
This will get modded down because trolls have taken over the moderation system and openly subvert it.
By your hypothesis, this post will get modded sky-high, moron. If me pointing out that you're stupid does not get modded up, that suggests that there is not a significant pro-google crowd who has hijacked the board. If it does, then I get modded up. I call that a win-win, but you wouldn't understand that because you're not very smart.
PS. Google rules, and you're dumb.
Re: (Score:2)
I would hardly call him a troll, he has a point even if he does over dramatize the matter.
You would have to be pretty blind to not notice the huge bias in most of the news summaries.
It's not dead, but it could benefit from some healing.
Paywall? (Score:3, Informative)
I think it should be noted that the report is behind a paywall.
Could have been done right... (Score:2, Insightful)
Re: (Score:3)
Do you know how easy it is to lift a thumb print? Or how unlikely it is that you would generate the same key from that print reproducibly? Biometrics are less than useless for security purposes because they cannot readily be changed, but can be readily stolen.
The only hardware feature that actually increases security usefully is the use of devices like CryptoCard/SecurID tokens—non-networked devices that produce a different (but predictable) number each time. Unfortunately, it only helps if the bad
Re: (Score:2)
It's more accurate to say real security is impossible. If someone really wants to get at you, they will. Security is all about making it easier to get the next guy so it isn't worth the effort.
Re: (Score:2)
And any security measure, once deployed broadly enough, becomes very nearly useless at achieving that goal. Indeed, the only reason passwords aren't basically useless is that users can choose arbitrarily long passwords, up to the limit of their memory, which means that they aren't deployed evenly....
When additional security is deployed broadly and evenly, the only thing it really does is raise the minimum level of knowledge required to break the system. Depending on the level of cooperation among thieves,
Re: (Score:2)
On the old 2D sensors, maybe. But modern fingerprint sensors are 1D - they contain a sensor that scans as the user swipes the finger over the sensor. It makes it much harder to lift a fingerprint from (the fingerprint is wiped as it's read), as well as making the sensor MUCH smaller - something that can fit on a smartphone without consuming too much space.
Modern fingerprint sensors you find on computers are already the swipe kind. You'd have better luck lifti
Re: (Score:2)
Who said anything about lifting the print from the sensor? The owner has been holding the phone. There are bound to be full sets of prints all over it.... Not to mention that glass at the bar, the steering wheel, the door handle....
Re: (Score:2)
Um, I don't think things work the way you think they do. With respect, you do not understand what you are talking about and are in significantly over your head. Thumb prints don't give a definitive hash, it's more like a quasi-match that looks close enough. Every scan of your finger print looks different and has to be analyzed so you couldn't reproduce the same hash later. Even if it could make a uniform cache, using asymmetric crypto in this case makes no sense at all. Asymmetric is inherently and sub
Re: (Score:2)
Oh, and if what you are thinking with asymmetric crypto is to do a bitcoin like thing where the merchant would have to hand the receipt to be digitally signed and then send it in to the merchant bank, they would still need to know which bank to send it to and which account it is associated with. The account information would still have to be transmitted in the encrypted communication, the signing would simply help ensure that a vendor doesn't try to charge things that they are not authorized to charge. Th
Re: (Score:2)
then generate a hash from the thumbprint
Consistent hashes require consistent input, and fingerprints are not that. Fingerprint readers are designed with an error tolerance because fingerprint scans are inconsistent. They can't be used to secure data, only to instruct software it's ok to grant access to something the software has the capacity to access anyway.
Re: (Score:2)
I'm sure others will rip this to shreds. Google isn't about your security they're about tracking every fucking thing you do. They made Android open so they could get it on more phones. It was not designed with security in mind. Their app was not designed well as a good security design does not fit their track every fucking thing you do paradigm. Since there is an alleged standard for them to live down to Google won't have to design a truly secure app, just one that meets the standard.
Real security is hard.
Lots of good stuff about Google, but . . (Score:5, Insightful)
Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.
I have used google wallet, and I have used paypal. Paypal is *far* superior.
I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.
Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.
Re: (Score:3, Insightful)
You know Google's failing badly on a project when PayPal has a better product.
Re: (Score:3)
Their wallet, checkout, or whatever really does suck.
As a merchant, I've found Google Checkout to be quite useful. It's API has more features than Paypal's, and it's Order Processing interface is far superior to any other I've used. It allows me to send multiple tracking numbers to a customer, which Paypal STILL does not allow. Searching and archiving is far easier in Checkout. And don't forget about speed. Paypal's site is abysmally slow, while Checkout is lighting quick in just about every function. Generating reports is immediate, while Paypal makes you wa
Re: (Score:2)
Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.
I have used google wallet, and I have used paypal. Paypal is *far* superior.
No, you haven't used Google Wallet. You've used Google Checkout. Those two are not the same (not yet anyway).
Google Wallet is an NFC-enabled application (NFC means Near Field Communication). It allows you to tap your phone and pay at the check out counter at a few chain stores. Google Wallet currently requires an Android NFC phone (which represents less than 2% of the install base of Android devices in the US).
Thus far in the US, only the Nexus S, the Galaxy Nexus, and the HTC Amaze support NFC, but it won'
Pathetic (Score:2)
You would think that Google has enough money and perks to hire a few really good IT security experts. Apparently they do not have the corporate culture to do so. Pathetic.
Re: (Score:2)
No you're quite wrong there -- they can and ostensibly do hire some really great people (security included). They also hire absolute chaff a lot of the time, but neither of those have anything to do with why wallet and such suck.
They aren't ads, and they aren't search. Google only actually cares about the stuff that makes them money, or the stuff that could make them money. They've already botched wallet and checkout, just like gTalk the launch was awful in a crowded market and the product is a failure beca
Re: (Score:2)
So they have managed to turn themselves into a standard greedy cooperation? No surprise here. Makes sense to me.
Google is putting their eggs in too many baskets (Score:2)
Fail (Score:1)
Requires root (Score:5, Interesting)
The key thing to keep in mind about the various Google Wallet deficiencies is that they all require the attacker to get your phone and root it... and he still has less information about and/or ability to use your card than if he'd gotten your credit card. That's not to say that the Wallet issues don't need to be addressed, but it does mean that carrying your credit card in your phone is more secure than carrying your credit card in your wallet.
Bottom line: Google Wallet security isn't as good as it could be, but it's still better than plastic.
Oh, I guess there is one way plastic might be more secure... the phone conducts transactions via RF, so there's still the possibility of someone doing a payment transaction with your phone while it's in your pocket, without your knowledge. Google Wallet addresses that risk in three ways. First, NFC is very short range. 1-2 centimeters with off-the-shelf equipment, perhaps 10 cm in the lab. Second, if your screen is turned off, the NFC payment is disabled. Third, if you haven't entered you PIN in the last few minutes (15?), NFC payment is disabled. In addition, all of the normal credit card risk management infrastructure is still in place, as well as the legal limitations on your liability.
Honestly, the biggest problem with Google Wallet isn't security, it's acceptance. Unless you want to eat at McDonald's a lot, it's fairly difficult to find merchants who can accept it.
Re: (Score:2)
However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).
Re: (Score:3)
Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic [gizmodo.com]
Ah... I didn't realize that had been published. I really wasn't trying to hide it, but as a Google employee I have to be circumspect about things that aren't yet public.
As the Gizmodo article mentions, Google is working on a fix for this which address this issue. In case it's not clear from the article this only affect Google Prepaid card balances. If you've put your Citibank MasterCard in Google Wallet an attacker can't gain access to it. Adding a "real" card requires typing in the card number. It's
Re: (Score:2)
Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic [gizmodo.com]
Oh, and I should also have said: Still more secure than plastic. Especially if you use the lock screen.
Re: (Score:2)
No, it's only more secure than the joke swipe cards you use in the US. A pin+chip card is way more secure than the Wallet crap.
Somewhat more secure, yes, at present. When the outstanding vulnerabilities in Wallet are fixed, the reverse will be true because of the Chip & PIN PIN spoofing attack, which AFAIK still hasn't been fixed (it's an EMV protocol design flaw, so not easy to repair).
Do you ever get any work done or you just spend your day refreshing /. hoping for more Google stories so you can spew your garbage?
I've gotten plenty done today, how about you? And can you point out something I've said which is "garbage"?
Re: (Score:3)
Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic [gizmodo.com] However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).
BTW, to address this Google has temporarily disabled re-provisioning of Prepaid cards. If you or someone else erases your Google Wallet configuration and then attempts to re-configure it, you will not be able to get your Prepaid card back. Currently-provisioned devices will work as they should, meaning you can add and spend value at will, and new devices that have never been provisioned can be provisioned and will work properly, but any device that once had a Google Prepaid card added to it and then was s
Re: (Score:3)
Little tinfoil hattish, I agree, but meh. Datamining is the primary goal, and from the wardriving we know that personal data privacy be damned.
Re: (Score:2)
So you suggest I voluntarily give my credit card information to Google?
Well, if you use Android and buy apps from the Android Market, or buy stuff with Google Books, or through Google Checkout (recently renamed Wallet), or use the paid developer APIs, or... you already have. Google, like any other large on-line seller, routinely manages tens of millions of customer credit card numbers, and has been doing so for years. Google is PCI compliant, and actually goes far beyond PCI requirements in terms of the security precautions it takes. That's the area I work on most of the ti
Google is still responsible (Score:2)
It is, after all: **Google** Wallet.
So it certainly has something to do with Google. If it's a Google product, it's up to Google to make sure it works correctly. No matter who Google contracts with.
This pales compared to (Score:2)
Re: (Score:1)
You should probably put a PIN on your market account, and / or not let your kids know your PIN.
I got burned once when I trusted my 7 y.o. cousin to play with my phone. Proud owner of a few jewels in some game, and a new app.
It *ALWAYS* asks the PIN whenever you make a purchase through the market; there's no timeout.