Google Wallet May Not Be Secure Enough According to Forensics Experts

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
google-wallet-stuff-logo-security-issues-dec-2011.jpg

A recent study was done by security experts at viaForensics on Google Wallet. According to their report, "Google Wallet is not as secure as it should be." The primary concern highlighted by their study was that Google Wallet stores too much personal data on the device, and its lack of encryption makes things worse. Supposedly, Google Wallet stores user's credit card balance, limits, expiration date, transaction dates, locations, and even their name as it appears on the card and more. While this info alone would not be enough for an unscrupulous third party to charge transactions on the device, it does leave the user open to identity theft or a social engineering attack.

Of course, Google has come forward decrying the validity of the testing because the analysis was performed on a rooted phone. They said that this information can only be accessed from a phone that is rooted. Here is what Google's spokesperson, Nathan Tyler said on the subject,

"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge."

Unfortunately, Google's argument falters, because there have been instances in the past, (and probably the future), in which malware, like "Droid Dream", has gained root access to Android devices. To Google's credit, viaForensics, indicated that Google does several things very well and are on par or better than some other competing mobile payment systems, like Square. Here's a quote from the AmericanBanker.com article with some details,

Google does do many things right security-wise with its Wallet app, including requiring a four-digit PIN. This makes it more secure than a magnetic stripe credit card, which any criminal could steal and use. Anyone who stole an Android phone loaded with the Google Wallet app would have to correctly guess the owner's PIN to buy something with it. "Google, to their credit, said I can't give access to your wallet, I'm going to force you to put in a PIN. The critical thing you need to implement encryption is a password that's not stored in the device but in another system, such as the end user's brain. That's that random, unknown piece of information that unlocks it for you."

Unfortunately, viaForensics indicated that they simply couldn't give Google Wallet a passing grade because of the potential for malware abuse. Andrew Hoog, chief investigative officer at viaForensics made the foreboding statement, "Malware is the storm that's on the horizon."

Source: AmericanBanker
 

RyanPm40

Senior Member
Joined
May 3, 2010
Messages
931
Reaction score
111
I will never use my phone to pay for things. Whether it be Google Wallet or whatever Verizon is concocting with AT&T and T mobile. No matter what, it is far too risky to have such important personal info on my PHONE which is connected to the INTERNET at all times. Besides, if I'm going to a store, I would always have my real wallet with me... I need my driver's license on me in order to legally get to said store!
 
Joined
Mar 27, 2010
Messages
99
Reaction score
1
I wasn't planning on using googol wallet any time soon because of something like this. That doesn't mean that gw won't be refined in the future to where its secure and ready for every day use.
 

johnomaz

Silver Member
Joined
Jul 12, 2010
Messages
3,187
Reaction score
633
Location
Central Valley, California
Current Phone Model
Google Pixel 2XL
I'm sorry, but think about the time it takes to pay with your credit/debit card and the time it would take to pay with your phone. You're at the checkout counter. You dig for your phone (ya women, this is for you and your bottomless purses), unlock it. If you have a passcode or have to draw a shape, thats more time. Open the app, type in your pin and then pass near the reader. That is also if the store has a NFC reader there. Sorry, but it is way faster to just use your debit/credit card to swipe.
 

ohcop72

Member
Joined
Dec 26, 2009
Messages
132
Reaction score
0
It will catch on, it will be refined and it will probably be the future at some point. You would be amazed at how open your credit cards are already on the internet. Just like not running antivirus on my home computer for the past 8 years, if your careful how you use it then you will be safe.
 

CT Raider

New Member
Joined
Nov 9, 2009
Messages
21
Reaction score
3
Current Phone Model
Droid Razr Maxx (time 4 Turbo)
If you've purchased one of Googles 10 cent apps, from their 10 Million DL's promo, you probably already have Google Wallet. It's the backhanded way to get you to use it. And dare I say, probably the reason they are doing the promo in the first place. I know this because I went to buy an app and it told me I'd be using Google Wallet.
 

Mark_V

Member
Joined
Feb 6, 2010
Messages
92
Reaction score
2
Location
OKC
Current Phone Model
Moto G4 Plus
Sorry, but it is way faster to just use your debit/credit card to swipe.

I would venture to guess you made this statement with out ever using NFC to pay for something.
 

Dusty

Gold Member
Joined
Jan 13, 2010
Messages
1,180
Reaction score
483
Location
DC/NoVA
Current Phone Model
Pixel 3XL
The claim seems kind of dubious. The information they were able to get were: the last four digits of the GW account, a list of purchased items, and the remaining balance. These items are pretty useless. It's like looking at someone's ATM receipt and a few store receipts and claiming that you were on the verge of robbing them blind. The phone would have to be rooted and the information is only obtainable with physical access to the phone. So what this tells me is this...

You would have to root your phone, and not have a password lock on it. Someone would then have to physically steal the phone, and, in the end, all they could get from it would be three items of useless information.

If someone had you targeted for identity theft for fraudulent purchases they'd be better off just stealing your wallet or purse if they had physical access to you. Then, they would have your ID and credit cards. If they stole your phone for GW access they'd still need your purchase pin. They would, however have a sweet list of stuff you already bought and an account balance that they don't have access to.

Who paid for this "study". I'm not saying GW is awesome and invincible, but this... this smells fishy, half baked, and sensationalist.

I smell FUD.
 
Last edited:

alboboy10

Senior Member
Joined
Jan 8, 2010
Messages
1,808
Reaction score
19
Lol you're not going to use you're cards...what about other thingsyou buy online. Same thing.
 

manilaboy1vic

Member
Joined
Jan 2, 2010
Messages
694
Reaction score
3
Location
planet earth
it just seems unsafe to me.. there are ways to one click root a phone.. whos to say a developer cannot make an app, throw it on the market and access peoples cc info.... im in no rush to store CC info on my phone..
 

Dusty

Gold Member
Joined
Jan 13, 2010
Messages
1,180
Reaction score
483
Location
DC/NoVA
Current Phone Model
Pixel 3XL
GW doesn't directly store or use your CC info! That's like saying that if someone stole your Target gift card they could wipe out your CC.

Just like on your computer don't install junk from sources you don't trust. Same thing!
 

Sweettooth

Member
Joined
Jan 15, 2010
Messages
726
Reaction score
10
Location
Dallas, Texas
To those saying they don't plan on using their phone in place of a credit/debit card; what are you going to do when plastic cards are no longer in use? I believe very strongly that all your cards and information will one day be consolidated into one object, and since smartphones will likely become the standard if plans and manufacturing costs go down (no more cheapo Nokias), why not put all that information on or have it be accessible from, your phone? Imagine when your phone is your iPod/MP3 player, driver's license, ID, credit/debit card, coupon holder, gift cards, bus pass, library card, GPS/navigation, portable TV, videogame console, remote control, full blown diagnostic utility (a la Star Trek), camera, computer, newspaper...and let's not forget, PHONE, all in one, because that is undoubtedly the future of these devices. Google Wallet and it's clones are just the beginning. These aren't the devices to rule all machines, they're the devices to rule all humans. :blink:
 
Last edited:

RyanPm40

Senior Member
Joined
May 3, 2010
Messages
931
Reaction score
111
Credit Cards and Debit Cards will never cease to exist.
 

ilikemoneygreen

Silver Member
Joined
Apr 7, 2010
Messages
2,579
Reaction score
18
Location
US
GW doesn't directly store or use your CC info! That's like saying that if someone stole your Target gift card they could wipe out your CC.

Just like on your computer don't install junk from sources you don't trust. Same thing!
i dont think that analogy is accurate at all but i like your avatar pic and i have a friend named Dustin who also likes Star Wars so ill agree with you. :biggrin:
 
Top