ViaForensics conducted a recent study on Google Wallet, discovering that while the electronic payment system does store credit card numbers securely, it can also leave personal information easily accessible. Using a rooted Nexus S 4G, the firm found that the application writes unencrypted database files that contain payment transaction histories. Details about the credit cards used are also present, including account balances, credit limits, expiration dates, and the last four digits of the card numbers themselves. "Many consumers would not find it acceptable if people knew their credit card balance or limits," the company stated in its report. "Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high."
Two additional vulnerabilities were discovered — images with partial credit card information were present in the file system, and removing a card from Google Wallet wouldn't delete its transaction history — but both issues were resolved with software updates. While the vulnerabilities may sound worrisome, it should be noted that they pertain only to rooted devices, where a user has full access to a phone's underlying files. Google defended its implementation, saying in a statement that the report "focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers ... Android actively protects against malicious programs that attempt to gain root access without the user's knowledge." While that's accurate, it's obviously quite easy for a stolen phone to be rooted and harvested for information. Still, with Google Wallet's rollout proceeding at a snail's pace — the Nexus S 4G is still the only phone to officially support the feature — Mountain View will have plenty of time to address ViaForensics' concerns.
There are 67 Comments. Add yours.
Ok. So what they’re saying is this is just as secure as ANY ATM paper slip that most folks throw away??
Posted on Dec 13, 2011 | 5:38 AM EST via mobile reply Recommend (11) Flag actions
Nope, that kind of information is not on an ATM paper slip.
Posted on Dec 13, 2011 | 5:40 AM EST reply Recommend (7) Flag actions
A lot of it is on the transaction history paper slip.
Posted on Dec 13, 2011 | 6:01 AM EST reply Recommend (6) Flag actions
if your bank prints out the credit limit, balance or limits, on the receipts… I would have to say it’s time for a new bank.
Posted on Dec 13, 2011 | 10:23 AM EST reply Recommend (4) Flag actions
Balances are offered on the receipts. Limit’s are not, but for rooted phones only, this seems like a non-issue for the every day user and even less of an issue if you don’t plan on losing you’re phone.
And the allegation that you could just “root it” and get the information off is wrong. To turn S-Off on the Nexus S, it requires a full wipe.
Posted on Dec 13, 2011 | 12:32 PM EST reply Recommend (3) Flag actions
First with atm cards, yes, not credit cards, (which is what i was talking about) no. You don’t think they will come up with easier root methods? alla unrevoked? or any of the other one click roots?
Posted on Dec 13, 2011 | 12:49 PM EST reply Recommend Flag actions
No, because in order to unlock the bootloader to root, your phone undergoes a full wipe.
I should know. I just went through it. Took about 10 minutes to do and another to get ICS onto my Nexus S 4G. Loving it!
Posted on Dec 13, 2011 | 12:58 PM EST reply Recommend (3) Flag actions
congrats,
that’s A8 1ghz correct? Does it feel smoother?
Posted on Dec 14, 2011 | 6:11 PM EST reply Recommend Flag actions
Easier methods?
“fastboot oem unlock” is how you unlock the bootloader to a Nexus phone. It then prompts you for a full wipe and then it’s done. But yes, you need to wipe the phone.
But yeah, you’re right about the credit vs debit thing but that’s to say that you use a credit card over a debit. But regardless, credit cards shift all security liability to the bank. If someone breaks into you’re account, you are not liable.
Posted on Dec 13, 2011 | 1:05 PM EST reply Recommend (1) Flag actions
i smell verizon..
Posted on Dec 13, 2011 | 5:52 AM EST reply Recommend (4) Flag actions
That’s the first thought that came to my head.
Posted on Dec 13, 2011 | 8:41 AM EST reply Recommend (1) Flag actions
Haha, me too!
Posted on Dec 13, 2011 | 9:33 AM EST reply Recommend (1) Flag actions
To do any of this the thief would have to steal your phone and root it. Even after that, all they could get would be your balance, limit, last four digits of the account, and a list of purchases. GW purchases still need a pin in order to be placed. In order for this to be useful it would have to be a piece of a social engineering campaign specifically targeted against the individual.
The thief would still be better off just stealing your actual wallet containing your ID and credit cards and not your phone.
Posted on Dec 13, 2011 | 6:11 AM EST reply Recommend (11) Flag actions
what a ridiculous excuse, that info shouldn’t be there in the first place
Posted on Dec 13, 2011 | 7:34 AM EST reply Recommend (4) Flag actions
It’s not an excuse it’s a fact.
If you had your wallet stolen with a recent printed transaction slip from an ATM they’d have more information than is available above.
Posted on Dec 13, 2011 | 7:54 AM EST reply Recommend (8) Flag actions
It’s a straw man argument idiot.
You’re avoiding the issue and you’re trying to justify it by pointing out worst case scenarios.
“cars flipping over are less damaging than them bursting into flames and exploding, therefore, cars flipping over isn’t an issue”
you realise how stupid your argument is?
Posted on Dec 13, 2011 | 8:05 AM EST reply Recommend (1) Flag actions
There’s no need to call someone an idiot. It dilutes your argument.
It’s not a straw man argument. The straw man would be the thief running a coordinated, targeted, tech-heavy social engineering campaign. That’s FAR more unlikely than someone getting mugged and giving up their license, credit cards, receipts, and house keys. No rooting required.
Stating that the information gleaned by this vulnerability is “very dangerous” is questionable at best.
Posted on Dec 13, 2011 | 8:25 AM EST reply Recommend (8) Flag actions
You don’t even realise you’re doing it do you. You just did what I accused you off in your own reply.
Posted on Dec 13, 2011 | 8:31 AM EST reply Recommend Flag actions
bravo troll.
Posted on Dec 13, 2011 | 8:56 AM EST reply Recommend (6) Flag actions
Yeah, he managed to be either hypocritical or ironic in each of his posts. OH look, TheVerge has a troll option for flagging people. How wonderful.
Posted on Dec 13, 2011 | 9:31 AM EST reply Recommend (2) Flag actions
So because there are worse things that can happen to you, this turns out to be a non-issue. Is that your premise???
Posted on Dec 13, 2011 | 12:38 PM EST reply Recommend Flag actions
No need to steal the phone. Imagine a simple piece of malware software that exploited this. Many devices out there are rooted, particularly the Nexus variety. Imagine if someone wrote malware that rooted your device and stole this info…or figured out how to steal it without rooting. It’s a mistake, it needs to be fixed.
Posted on Dec 13, 2011 | 10:23 AM EST reply Recommend Flag actions
It still pays to be cautious at all times, specially to those who have rooted their phones. All this small insignificant information can result into something huge and disastrous, specially when fallen to the hands of a tech genius
Posted on Dec 13, 2011 | 10:42 AM EST reply Recommend Flag actions
How is this sensitive information, you can’t do shit with it. Plus, you’re obviously always able to get it, when you’re in the total control of the device (root).
Posted on Dec 13, 2011 | 6:41 AM EST reply Recommend (7) Flag actions
spreading FUD…
Posted on Dec 13, 2011 | 7:06 AM EST reply Recommend (8) Flag actions
What is it with Android’s crap security, this is like the 4th major security flaw in weeks. First HTC’s fiasco where anyone could read personal data, then CarrierIQ on almost every Sprint and AT&T Android phone, now this.
Posted on Dec 13, 2011 | 7:32 AM EST reply Recommend (1) Flag actions
…Not in stock Android.
…Not in stock Android.
…Not in stock Android. You have to go out of your way to root your phone for this to information to be at risk. Also, look at what the information is. It’s pretty much what’s on receipts that you probably either leave at the point of sale or simply throw in the trash, anyway.
If you don’t feel comfortable with the platform, simply don’t use it. Personally, I’m going to continue to use the Nexus devices that I’ve been using and feel quite secure.
Posted on Dec 13, 2011 | 7:52 AM EST reply Recommend (9) Flag actions
I don’t agree with LolyPopBrigade’s comment but it really doesn’t matter if it’s stock Android or not. The Nexus series aren’t typically Android’s best selling handsets.
The only thing this article tells me is that rooting or jailbreaking your devices in the future is a very risky proposition especially when it is increasingly carrying a large amount of sensitive information.
Posted on Dec 13, 2011 | 8:17 AM EST reply Recommend Flag actions
Oh, it very much does matter. Carriers and manufacturers need to stop messing with the OS and introducing security holes, other bugs, and removing basic functionality that’s included with the stock OS (something for another thread). Until they do that, I will continue dismissing their phones and not having a contract and lower monthly fee (so, they’re getting less money from me).
Posted on Dec 13, 2011 | 8:44 AM EST reply Recommend (2) Flag actions
No, it doesn’t matter. The simple fact is that there are far more Android devices being sold that have been customized than the stock version. They are still considered Android devices.
The carriers and manufacturers will always screw with Android because technically nobody owns it. They will do what’s best for them and you have to treat that as a constant and always assume the worst.
Their position is understandable. As much as you want to customize the OS the way you like it, they want to do the same so they can differentiate their product from competitors and add value to the device to keep you in the ecosystem.
Posted on Dec 13, 2011 | 9:48 AM EST reply Recommend (1) Flag actions
That’s not completely true, either. Google does own Android, and there’s no one saying that anyone has to modify it beyond stock. If someone/some company chooses to, that’s their prerogative but it doesn’t make it Google’s fault.
Google shouldn’t be blamed for what other people do with their tools (Android in this case), just as the American Chrome Shovel Company shouldn’t be blamed if one of their shovels is modified into a machete and used to kill people.
Posted on Dec 13, 2011 | 10:00 AM EST reply Recommend (2) Flag actions
it does matter if it’s stock android or not if you are proclaiming “android crap security”. if it is a security problem with HTC Sense then you proclaim “HTC crap security”, and similarly for other two flaws..
you wouldn’t say “windows/osx crap security” if you find a security exploit in Adobe flash, even if it is installed on 90% of computers..
Posted on Dec 13, 2011 | 8:50 AM EST reply Recommend (1) Flag actions
Bad example – Adobe is software running on OS-X, HTC is a vendor selling android. It would be more like HP, Dell and the other top PC vendors all introducing security holes in windows. You can’t completely absolve android of the OEMs’ sins when android is, by design, almost always sold modified by the OEMs.
Posted on Dec 13, 2011 | 9:42 AM EST reply Recommend Flag actions
it’s hard to make a perfect analogy, but i still think your reasoning is not valid. if it is an error in HTC Sense, it is, by definition, not an error in all android devices, so you can’t proclaim it “an issue with (all of) android”.
or to expand on your thinking, Linux (the kernel) is, by design, almost always downloaded modified/as part of a GNU/Linux distro (the OS). if there is an exploit in the software added by the distro, you wouldn’t call it “crappy Linux security”.
(for bonus irony points, android is based on linux, and nobody proclaims “crappy linux security” when an exploit is found in Google Wallet ;)
Posted on Dec 13, 2011 | 10:05 AM EST reply Recommend Flag actions
If it were only Sense that was a problem that would be one thing, but as a recent academic paper showed – it isn’t.
http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf
Check out table 3.
Posted on Dec 13, 2011 | 11:31 AM EST reply Recommend Flag actions
i did check it out, it turns out, stock google phones (Nexus One/S) have:
1) only one permission leak,
2) it is explicit (user is asked to allow it),
3) it is in 3rd party code (still, packaged by google),
4) and it can only be used to delete one specific (hardcoded) app.
yes, that’s a bug, but not as serious as say, PDF font rendering exploit that allows a web page to root your phone if you just visit it..
(sound familiar? iPhone jailbreak?)
Posted on Dec 15, 2011 | 9:36 PM EST reply Recommend Flag actions
Don’t forget, CarrierIQ was on the iPhone and Blackberry phones too…
Posted on Dec 13, 2011 | 8:55 AM EST via mobile reply Recommend (4) Flag actions
Rooting your Android, like jailbreaking your iPhone or BB is akin to removing the safety from your gun. You sure as hell better make sure to not point it at yourself after making the modification. To me specifically granting an untrusted app root access (which is still required even after rooting the phone) is equivalent to pointing the gun at yourself.
When iPhone and BB catch up and get NFC and they are jailbroken, I have to believe there will be security implications for them as well.
Posted on Dec 13, 2011 | 9:12 AM EST reply Recommend (1) Flag actions
Is it just me or does someone seem like they have an agenda?
Posted on Dec 13, 2011 | 12:10 PM EST reply Recommend Flag actions
Obvious troll is obvious. You jelly dude?
Posted on Dec 13, 2011 | 12:58 PM EST reply Recommend Flag actions
This doesn’t seem to be a huge deal, beyond being embarrassing – but if this was Apple not Google, it would be being called wallet-gate already.
Posted on Dec 13, 2011 | 7:35 AM EST reply Recommend (4) Flag actions
Wait a second. You’re telling me that disabling a security feature of the phone (rooting it) makes it less secure?
Posted on Dec 13, 2011 | 7:45 AM EST reply Recommend (8) Flag actions
Making it rootable in the first place makes it less secure
Posted on Dec 13, 2011 | 7:49 AM EST reply Recommend Flag actions
Better tell that to Apple, and RIM, and Palm.
Posted on Dec 13, 2011 | 8:33 AM EST reply Recommend (1) Flag actions
Cars are “rootable” with people being able to replace their own brakes which makes for more potential dire consequences, doesn’t makes cars as a platform for transportation completely unsafe. It’s up to the person whether or not to take on that risk, their option. However if someone does their own brakes/root and the brakes/security fail, then they can’t really blame the manufacturer who made it or dealership/carrier who sold it as they did so with the expectation a authorized and/or trained person would complete any maintenance.
Posted on Dec 13, 2011 | 10:35 AM EST reply Recommend Flag actions
Bugs and bad design in software? Never seen that before.
/sarcasm
At least it will all be fixed by the time I get my Galaxy S III.
Posted on Dec 13, 2011 | 8:23 AM EST reply Recommend Flag actions
So how would someone, with malicious intent, go about getting this information? They would have to steal my phone then root it? Because that’s what I took from this and if that’s the case then this isn’t really a story. Move along.
Posted on Dec 13, 2011 | 8:32 AM EST reply Recommend (1) Flag actions
Like the “locationgate scandal” that required the malicious person to steal someones phone or PC and retrieve the file, know how to interpret it and even then only gave your approximate locations over a period of time but it was still newsworthy enough to reqire senate intervention?
Posted on Dec 13, 2011 | 8:59 AM EST reply Recommend Flag actions
What? I honestly have no idea what you are talking about. Unless you are talking about the iPhone thing and I didn’t think that was news worthy either.
Posted on Dec 13, 2011 | 9:31 AM EST reply Recommend Flag actions
I don’t think Google is required to protect this limited data against either 1) You loosing your phone, 2) you not only rooting your phone, but then allowing root access to a malicious software.
That would be like Visa and MC having to issue cards that magically have their numbers disappear if you lose your wallet. Or banks giving you receipts in special ink that only you can read. If you lose your crap or show it to a complete stranger then you’re bound to get yourself into trouble.
Not saying Google shouldn’t take steps to remove even this info if possible, but nothing to get worked up over.
Posted on Dec 13, 2011 | 8:50 AM EST reply Recommend (1) Flag actions
On latest-clean phones, getting that info requires… A full wipe (fastboot oem unlock).
Tell me that wouldn’t actually wipe the information.
I dare you.
Posted on Dec 13, 2011 | 8:55 AM EST reply Recommend Flag actions
Want to stick it to the Carrier IQs of the world? Root your phone! Oh…
Posted on Dec 13, 2011 | 9:19 AM EST reply Recommend (1) Flag actions
Ok, so what about on a stock Nexus S 4G? Meaning not rooted. Like cybik said, in order to write anything (including the superuser executables), you have to do a setup the android SDK, find a fastboot executable, reboot to the bootloader and run ‘fastboot oem unlock’ at a command prompt. Which then tells you straight out that its going to wipe and reset EVERYTHING on the phone, loosing all that sensitive data that they claim to get a hold of… Am I missing something here?
Posted on Dec 13, 2011 | 9:43 AM EST reply Recommend (1) Flag actions
I think the real story here is that The Verge has started to get into the business of writing sensationalist headlines. I had honestly come to respect This Is My Next/The Verge, and look forward to reading their articles every day.
Garbage headlines like this, though, are the reason I stopped reading Business Insider. I sincerely hope that the Verge curbs this beginning of a trend before I have to give it up, too.
Posted on Dec 13, 2011 | 9:46 AM EST reply Recommend Flag actions
How would you write the headline? Just curious, because I don’t see “Google Wallet leaves sensitive data unencrypted and accessible, says security firm” as being sensationalist.
That’s what the security firm said, and that’s what the Verge reported. In my opinion, a sensationalist headline would be something like “Google Wallet Hacked to Unencrypted Bits, Your Data at Risk.”
Posted on Dec 13, 2011 | 10:21 AM EST reply Recommend (1) Flag actions
I suppose you’re correct, in as far as that is what the security firm said. It just still feels sensationalist to report on something sensationalist.
In order for this to be an issue, someone would have to steal your phone and root it, which wouldn’t give them any data that could be used against me (the test of what is sensitive in my book). It just wouldn’t make sense to target random people, steal all of their phones, root them, gather this minimal info and then social engineer attacks on a person-by-person basis. It’s just not economical on a theft standpoint.
In fact, it would be far easier to steal a wallet and get all of the personal info that way if you really wanted to spend some money. Nothing that could be stolen from Google Wallet can be directly used to make a purchase, which is what makes this “security firm’s” report sensationalist, in my opinion.
So, back to your original question: I wouldn’t have even written the article, let alone the headline. Why give moronic, misleading “reports” such as this one any time in the press. They serve only to spread FUD and mislead people.
Posted on Dec 13, 2011 | 11:12 AM EST reply Recommend (2) Flag actions
By the way, I want to thank you for responding to my comment despite what I might think of the article. It’s very good to know that you are paying attention to what others say and makes me want to participate more.
Posted on Dec 13, 2011 | 11:16 AM EST reply Recommend Flag actions
Yeah, I mostly agree with you there – this new info on Google Wallet is a non-issue for me. You’re right, that is a lot of hoops to jump through to get the information.
Posted on Dec 13, 2011 | 11:22 AM EST reply Recommend (2) Flag actions
If someone stole my phone, they’d find a lot more sensitive information sitting in my gmail – they wouldn’t have to root my phone.
Posted on Dec 13, 2011 | 10:20 AM EST reply Recommend (1) Flag actions
Google should do something about it, knowing that most android phones are rooted devices, which poses them to the Google Wallet security threat.
Posted on Dec 13, 2011 | 10:43 AM EST reply Recommend Flag actions
“most android phones are rooted devices” = False
Posted on Dec 13, 2011 | 12:07 PM EST reply Recommend (2) Flag actions
<troll>Sure makes you want to check out his web site, doesn’t it?</troll>
Posted on Dec 13, 2011 | 12:28 PM EST reply Recommend Flag actions
Dude, you trippin if you think most Android devices are rooted.
Posted on Dec 13, 2011 | 1:01 PM EST reply Recommend Flag actions
Another day, another security issue for google. They need to fix their shit.
Posted on Dec 13, 2011 | 12:36 PM EST reply Recommend Flag actions
I would not be at all surprised to see VZW use this as a reason to block Wallet.
Posted on Dec 13, 2011 | 12:47 PM EST reply Recommend Flag actions
So in order to get the same amount of credit card information a thief would have to:
1. Steal your credit card statement from your mailbox
or
1. Steal your phone
2. Root your phone
3. Find the database files used by the NFC app and extract the plain text data.
Yup, path of least resistance all the way.
Posted on Dec 13, 2011 | 12:55 PM EST reply Recommend Flag actions
Complaining about this issue id like saying it’s a security risk to keep receipts in your REAL wallet. I’m sure a criminal could glean all sorts of useful information from them to orchestrate some sort of social engineering campaign against you, however if someone has managed to get your wallet in their hands I somehow doubt their primary interest would be your receipts.
Posted on Dec 14, 2011 | 8:00 AM EST reply Recommend Flag actions
Something to say? Choose one of these options to log in.