Google Wallet's Major Security Flaw - The UpStream

Google has recently launched their new Google Wallet platform - a way for people to pay for at retail stores simply by waving their phone at a device in the store. You can pay using a MasterCard, Google PrePaid card or store gift card, as well as using rewards cards. Obviously this technology requires special devices at stores as well as a phone with Near Field Communication (NFC) included.

Security research firm ViaForensics released their review of the new Google Wallet platform for Android this week and the news, while not unexpected, is disturbing. It turns out that the software stores several pieces of user data in plain text on the phone. While credit card numbers and actual transactions are encrypted, data such as cardholder name and transaction history are not, allowing for the possibility of social engineering attacks.

Social engineering, for those who do not know, is defined by Wikipedia as,

Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

In other words, by having the right information, a person could gain access to your credit card account, and all of that information is stored on your phone. Hit the break to find out what information is stored on the device and why it is such a big deal.

According to the report,

One table I focused on was the nfcTapEvent table which contains the fields id, proto, purchase_time (for example 1317917991629 which is Unix Epoch in milliseconds) and is_dirty (which is not a flag for adult stores). Here we can find a lot of data, most notably in the proto field which has some binary data and needs to be further analyzed or decoded.

However, it's quite easy to find interesting info including the address of the transaction, which card I used, the card expiration date as well as my name.

Also available through the phone's data is card type, last 4, current balance, open to buy, payment due dates and much more. By using the NFC technology or by stealing the phone, a person could gather enough information about you and your account to be able to call MasterCard and take over your account, getting another card issued or charging online orders to the existing one.

Once Google was informed about the issues, they released a new build of the app, but I don't really think that is good enough. It seems that Google has proven once again that they do not ever think about security. As with most Google product launches, there was bound to be some sort of major mistake, but this one is bigger than normal. When it comes to mobile payments, I think I'll stick to PayPal.