SAN FRANCISCO ? Research released earlier this week revealed Google Wallet locally stores some sensitive user data unencrypted, including a cardholder?s name, transaction dates, email address and account balance, DarkReading.com reports.
Researchers from viaForensics said they tested the security of Google?s new mobile payment service on rooted Android phones and determined that the app leaves sensitive data in the clear.
While the service hides the full credit card number, the last four digits reside in plain text in the app?s local SQLite database.
viaForensics said countering those vulnerabilities, the app repels man-in-the-middle attacks and is protected by a PIN to conduct transactions with the cards.
However, the app?s SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates, data that viaForensics said could be used to social-engineer the card number from the cardholder.
"They underestimated the value of data that consumers are not comfortable with [being exposed]," said Andrew Hoog, chief investigative officer for viaForensics. "I'm not comfortable with someone knowing my credit limit or when my payments are due...If you had that type of information, you could effectively do a social-engineering attack that could get [an attacker] access to an account."
Google responded to the reported, noting that viaForensics? research was conducted on a rooted Android smartphone.
"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet," the spokesperson said. "But even in this case, the secure element still protects the payment instructions, including credit card and CVV numbers?Android actively protects against malicious programs that attempt to gain root access without the user's knowledge."
Hoog said Google?s criticism of viaForensics? use of rooted phones in its research is misplaced, as up to 15% of smartphone users ?root? their devices.
"If you think about the number of folks who have root and the fact that on every single major iOS and Android released people have been successful at getting root quickly, and that there are remote exploits capable of doing this remotely over a network...we feel that these threats" of exposed data are relevant, he said.
Hoog added that Google needs to either encrypt all of the sensitive cardholder data or not store it locally.
"We give Google credit for putting a PIN on the app," Hoog said. "But if you have to store [sensitive] data, don't store it plain text."

Няма коментари:
Публикуване на коментар