GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

New federal watchdog eyes prepaid cards

News

Industry Update

Heartland nearing closure on breach after favorable ruling

Forensics expert, Google differ on Wallet security

The future of contactless payments

Payment predictions for 2012

Features

PCI SSC rolls out new SIGs

Highlights from Inside Microfinance

Patti Murphy
ProScribes Inc.

Show us the money! - Growing business online by accepting more forms of payment

Brian Crozier
UseMyServices.com

Research Rundown

ISOMetrics:
Online shopping up for holiday season 2011

Lessons from the lemonade stand

Selling Prepaid

Prepaid in brief

Banks exhibit 'appetite for prepaid'

The game card opportunity beyond U.S. borders

Education

Street SmartsSM:
The Durbin Amendment: Bust or boon for the industry?

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Kick off 2012 with a plan for success

Peggy Bekavac Olson
Strategic Marketing

Keep it honest in 2012

Jeff Fortney
Clearent LLC

PCI: The year in review, the year to come

Tim Cranny
Panoptic Security Inc.

Company Profile

RocketPay LLC

PAX Technology Inc.

New Products

Going global with online payments

Global Gateway e4
First Data Corp.

A platform for multichannel retailers

Multi-Channel Retail Management Suite
Retail Anywhere

Inspiration

Work through discomfort, expand your reach

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Miscellaneous

2012 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

January 09, 2012  •  Issue 12:01:01

previous next

Forensics expert, Google differ on Wallet security

A forensics exam of Google Inc.'s Google Wallet by the digital forensics and security firm viaForensics LLC revealed a number of apparent holes in the mobile wallet's ability to protect the personal information it stores. However, the ease with which these holes can be exploited to steal data remains at issue between the two companies.

"We've agreed to disagree," both the researcher, viaForensics Chief Investigative Officer Andrew Hoog, and a Google representative who asked to remain on background separately told The Green Sheet.

The forensics report

Hoog reported in a blog released Dec. 12, 2011, "While Google Wallet does a decent job securing your full credit card numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card).

Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high."

He additionally wrote, "Privacy conscious consumers understand that analyzing nearly everything you use Google Wallet for is basically the price you pay for the service. From a tech standpoint, it's very exciting to see Google Wallet in production. However, it has consistently been viaForensics' position that the largest security risk from apps using NFC does not stem from the core NFC technology but instead the apps that use the technology."

Google applauded

Hoog told The Green Sheet he applauds Google for its open system. He said the company studied his findings and even corrected a problem he found - deleted data that could be recovered. "In the long term, open systems tend to be more secure" because people are able to find problems and point them out to the software firm, he noted.

"Google had an appropriate reaction to our findings," Hoog added. "They looked at each case and responded. They worked with us and made changes. They did not address all the items we found." He noted his analysis encompassed "only 10 percent of the tool kit we would use if we are really analyzing an application," and it is possible there are problems with the wallet viaForensics did not find.

Hoog suggested Google can do two things to fix the problems he addressed. The first is not to store data on the phone. "It doesn't do any good to store data if you can [otherwise] fetch data like payment history over a network and display it," he said. "There's no need to store the data, and I believe Google agrees with us."

He also pointed to problems with applications such as email that include sensitive data that needs to be stored on the mobile device. "If you are storing sensitive data you need to protect that data," he said. "We strongly urged them to encrypt this data."

Hoog said smart devices running the Google Wallet app hypothetically could board malware that would give intruders access to the root data analysis program and, from there, to the operating system. In theory, the intruder launching a successful attack of this type would have unfettered access to the information on the device. For this reason, he believes manufacturers need to make it more difficult to pull data off devices.

Google response

The official Google response to the viaForensics finding reads, "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case the secure element still protects the payment instruments, including credit card and CVV numbers.

"Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."

A Google representative, speaking on background, pointed out there are no known exploits that get root access to a device. Google maintains that even if root access is somehow obtained, credit card information is still protected.

The company also pointed out that encryption is of no value when root access to a phone is gained. "Our Wallet is more secure than your wallet," the Google employee said. "If someone steals your wallet they have your credit card information."

Hoog's position is slightly different. "We believe wholeheartedly it is possible to secure mobile apps," he said. "It takes effort, diligence and auditing, but it can be done."

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio