Google Wallet leaves sensitive credit card data unencrypted when used in a rooted device, defined as any Android device running a custom version of the OS, according to research firm ViaForensics. This data includes the name on the card, the last four digits of the card number, the card limit, expiration date, transaction dates and locations. However, the full credit card number is not visible. ViaForensics also says that the app creates a recoverable image of an associated credit card, which could be used for a “social engineering” attack. Some of these details are still recoverable even after the Google Wallet account has been reset.
Although the test was performed on a rooted phone, rendering it applicable to only some Android devices, a stolen phone running a default version of the OS can still be rooted, giving access to the encrypted information. “Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high,” says the firm. “For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack.”
While Google says that the study does not “refute” how effective its in-built security is, it has nonetheless altered the Google Wallet app to fix the hole. “Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge,” says the firm. “Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.”
Whitepapers
Related reading
Central banks best suited to issue digital currencies
By Aaran Fronda A recent report by the Official Monetary and Financial Institutions Forum (OMFIF) said that central banks rather than private ... read more
Instant payments: innovations inbound for corporates
In 2020, instant payments look set to continue their current trajectory to become the biggest trend in payments. While these schemes already offer numerous benefits to corporates, leveraging innovations such as APIs and request to pay will go some way to unlocking their full potential, argues Michael Knetsch
Obstacles exist for banks to meet ECB’s instant payments goal
The cost of joining instant payment platforms will be one of many hurdles banks and payment services providers must overcome to meet ... read more
Banks must be aware of “biases” in data used to train ML models
Financial institutions need to be conscious of biases in the historical data that is being used to train machine learning (ML) models, ... read more
