Google Wallet May Not Be Secure Enough According to Forensics Experts

[dgstorm]

A recent study was done by security experts at viaForensics on Google Wallet. According to their report, "Google Wallet is not as secure as it should be." The primary concern highlighted by their study was that Google Wallet stores too much personal data on the device, and its lack of encryption makes things worse. Supposedly, Google Wallet stores user's credit card balance, limits, expiration date, transaction dates, locations, and even their name as it appears on the card and more. While this info alone would not be enough for an unscrupulous third party to charge transactions on the device, it does leave the user open to identity theft or a social engineering attack.

Of course, Google has come forward decrying the validity of the testing because the analysis was performed on a rooted phone. They said that this information can only be accessed from a phone that is rooted. Here is what Google's spokesperson, Nathan Tyler said on the subject,

"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge."

Unfortunately, Google's argument falters, because there have been instances in the past, (and probably the future), in which malware, like "Droid Dream", has gained root access to Android devices. To Google's credit, viaForensics, indicated that Google does several things very well and are on par or better than some other competing mobile payment systems, like Square. Here's a quote from the AmericanBanker.com article with some details,

Google does do many things right security-wise with its Wallet app, including requiring a four-digit PIN. This makes it more secure than a magnetic stripe credit card, which any criminal could steal and use. Anyone who stole an Android phone loaded with the Google Wallet app would have to correctly guess the owner's PIN to buy something with it. "Google, to their credit, said I can't give access to your wallet, I'm going to force you to put in a PIN. The critical thing you need to implement encryption is a password that's not stored in the device but in another system, such as the end user's brain. That's that random, unknown piece of information that unlocks it for you."

Unfortunately, viaForensics indicated that they simply couldn't give Google Wallet a passing grade because of the potential for malware abuse. Andrew Hoog, chief investigative officer at viaForensics made the foreboding statement, "Malware is the storm that's on the horizon."

Source: AmericanBanker