Google Wallet Stores Card Data In Plain Text

nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."

Not tooo worried about this one

[bobwrit]

At least it's not storing, oh say, your login details in plain text... which certain(*cough* Sony) companies do. The details that it stores aren't anything that can be actually used to formally break into an account(yeah, sure, it can be used for stalking purposes/phishing, but that's almost always a vulnerability).

Re:Not tooo worried about this one

Sure, mr. Apple Fan, storing the same last 4 digits that are printed on every receipt is a security nightmare. Google is EEEEVIL. EEEEEVIL, I tell you!

"Way to spin it" is what article summary and headline do.

Re:Not tooo worried about this one

[Fritzed]

One important difference is that in the credit card industry there are published rules that you must comply with called the Payment Card Industry Data Security Standard (PCI-DSS), or in the case of an application, Payment Application Data Security Standard (PA-DSS). If TFA is accurate, then Google Wallet is not following the PCI guidelines.

However, it is worth noting that even if they ignore all of the best practices, they are probably technically in the clear right now. Mobile Applications are currently exempted from PCI and PA enforcement pending an update to the rules. As they are currently written, they acknowledge that they were not designed with mobile devices in mind. Mobile payment application developers are encouraged to follow the general guidelines of PCI, but they are somewhat left to their best judgement.

Re:Not tooo worried about this one

Yet, even with their multiple security problems, sheeple rush to buy SONY products :(

Re:Not tooo worried about this one

[unapersson]

The passwords were *cough* hashed. I suppose that's a kind of plain text.

Re:Not tooo worried about this one

[abigsmurf]

Except Sony hashed the passwords, encrypted the CC info and didn't store the security codes.

How long has it been and people are still spreading the "ZOMG PASSWORDS IN PLAIN TEXT!!" rubbish?

Re:Not tooo worried about this one

Which one of Sony hacks are you talking about? There were something like ten break-ins in different parts of Sony conglomerate, with different amount and value of stolen info in each case.

For example, in this instance they didn't.

Re:Not tooo worried about this one

[History's+Coming+To]

My bank stores my password in plain text. It's clearly not even hashed as they only need (eg) the third and fifth characters to give me access. I queried this with them and the person couldn't understand what I meant, and I wasn't allowed to talk to anyone who might understand for "security reasons". Interesting policy.

Re:Not tooo worried about this one

[InsightIn140Bytes]

That's not the only data stored in plain text in a freaking SQLite database.

But the apps' SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates -- information that viaForensics says could be used, for example, as a way to social-engineer the actual credit-card account from the cardholder.

That is just bad security from so large company that is trying to get everyone to use their mobile payment platform. You really shouldn't give them a pass on this just because they're Google. They need to be held to same security standards as everyone else.

Re:Not tooo worried about this one

There is nothing in PCI-DSS that prohibits the storage of the data that is potentially exposed here.

Most of this info is typically printed on a receipt (Cardholder name, last 4, expiration, transaction value, balance if it is a gift card). I don't see an outcry about receipts as social engineering enablers although they could be.

I am sure there will be many flaws found in mobile payments applications because the majority of people developing them either don't know or don't care about payment security guidelines. But this is not one of them. This is blogs and websites getting sucked in by a FUD / hype press release from a security reseacher looking for publicity.

Re:Not tooo worried about this one

[InsightIn140Bytes]

Banks are kind of different because you need to be able to access your account over the phone. However, in my country we have always used account number + one-time PIN numbers to access accounts ever since Internet banking was introduced. For confirming transactions there is also second, reusable PIN number list. And both of these lists are changed and resent to you after you've used all the one-time PIN numbers.

Re:Not tooo worried about this one

[MancunianMaskMan]

My bank stores my password in plain text. It's clearly not even hashed as they only need (eg) the third and fifth characters to give me access.

no they do encrypt it but they encrypt each letter seperately!

Re:Not tooo worried about this one

And here you show up, mister anti-Google pro-Microsoft shill. If you'd read on, you'd notice that Google is in compliance with PCI DSS with storing all this info. And really, saying "in a freaking SQLite database" like it's something awful is just dumb.

Really, you should try to be more subtle.

Re:Not tooo worried about this one

PCI QSA here. Only the PAN, or Primary Account Number, is required to be encrypted. Now I have no idea if the app is compliant or not, but nothing in the article reveals anything that would be non-compliant with the PCI DSS 2.0.

Re:Not tooo worried about this one

Banks are kind of different because you need to be able to access your account over the phone.

Ummm, no. When you're banking over the phone, the agent does not see your password. The agent has a field to type the password that you tell them. The agent's computer determines if the password is good.

Of course, the agent could write down or remember your password. My bank (ING Direct) has an automated system for password phone entry. Whenevery you bank by phone, the agent will transfer your call to that system, it validates your password, and then you get transferred back to your agent.

Re:Not tooo worried about this one

My bank stores my password in plain text. It's clearly not even hashed as they only need (eg) the third and fifth characters to give me access. I queried this with them and the person couldn't understand what I meant, and I wasn't allowed to talk to anyone who might understand for "security reasons". Interesting policy.

No, you're not allowed to talk to anyone who might understand because you're an idiot and don't understand security.

Whatever hashing/salting/encrypting technique that can be used safely store passwords can be repeated to safely store individual characters instead.

Re:Not tooo worried about this one

So I don't claim to be an expert but you clearly do.

Explain why, if a hash is applied to individual characters, the database if compromised wouldn't be vulnerable to simple frequency analysis.

I'm having trouble figuring out why this would be any more secure than ROT13 encryption.

Re:Not tooo worried about this one

[anonymov]

> Whatever hashing/salting/encrypting technique that can be used safely store passwords can be repeated to safely store individual characters instead.

Yeah, it's totally alright, because it only lowers complexity of brute-forcing from N^M to N*M (where N is number of characters in password's allowed alphabet and M is length of password).

And if they hash pairs of characters instead, then it's (N^2)*M/2 for non-intersecting pairs and N^2+N*(M-1) for intersecting.

Re:Not tooo worried about this one

I seriously doubt PCI applies, this is an application chosen by, installed, and managed by the card owner, on a device belonging to the card owner. Google has nothing to do with card numbers.

Re:Not tooo worried about this one

[Ksevio]

That doesn't mean they store it in plaintext, that just means they didn't hash the whole thing. They could have hashed individual letter groups (kind of pointless) or more likely used some type of encryption for storage and then decrypt for comparison.

Re:Not tooo worried about this one

[NeutronCowboy]

Hey, you're late to your Google bashing. Don't let that happen again.
A) It's called PCI compliance. They are PCI compliant. Whether the standard is a good one is a different question.
B) A more detailed description of the problem is here: http://slashdot.org/comments.pl?sid=2576938&cid=38397406 Please compare and contrast with how Microsoft is approaching the problem.

Re:Not tooo worried about this one

[anonymov]

used some type of encryption for storage and then decrypt for comparison

No. Just no. The only situation where password exists in clear text should be while you input it. The only viable method for third party to retrieve password should be brute force, either in "blunt heavy object" variety or "trying to reverse a hash function" variety.

And even then passwords are inherently weak, as they are limited by puny human brains used for storage.

Re:Not tooo worried about this one

No, Google is not evil, they're just arrogant and overconfident.

I hacked this a few days ago and have a way to remotely exploit it.

--
I'm a bigger asshole than Tavis Ormandy!

Re:Not tooo worried about this one

[TheSpoom]

Nonetheless that means that the bank is storing your password in either plaintext or some form of reversible encryption. Were it hashed on their end they'd only be able to validate the entire password or nothing at all.

Re:Not tooo worried about this one

There is nothing in PCI-DSS that prohibits the storage of the data that is potentially exposed here.

Repeat after me: "Just because something is *allowed* does _NOT_ mean it is a reasonable and sane behaviour!" Seriously, most countries still allow religion, after all...

Most of this info is typically printed on a receipt (Cardholder name, last 4, expiration, transaction value, balance if it is a gift card). I don't see an outcry about receipts as social engineering enablers although they could be.

Last time I used my CC to pay in a restaurant it certainly wasn't scanned and made available to every f****** script kiddie on The Intarnets. There is a _*HUGE*_ difference between offline and online data leaks!

I am sure there will be many flaws found in mobile payments applications because the majority of people developing them either don't know or don't care about payment security guidelines.

You _do_ _not_ store sensitive data _unencrypted_ _*EVER*_. No exceptions, no excuses! We're not in the 1990s anymore where you could -at least theoretically- argue about CPU and memory constraints.

Re:Not tooo worried about this one

o_O
This is just plain wrong. That is, you are plain wrong. Oh, they might be storing it plain text but what you mentioned is not sufficient evidence of that.
a) They could be encrypting it (as an opposite of hashing). In that case they can recover password for... well, password recovery reasons but that would clearly not be plain text.
b) They can store password recovery information separately, e.g. store third and fifth characters in a separate column for authentication purposes.
c) I'm really confused on the use case in general, if you know your password you can log in. Unless this technique is used to allow unlocking accounts without giving full password but that would still be a very odd way to do this.

Cheers,
- ...

Re:Not tooo worried about this one

[4phun]

One important difference is that in the credit card industry there are published rules that you must comply with called the Payment Card Industry Data Security Standard
However, it is worth noting that even if they ignore all of the best practices, they are probably technically in the clear right now. Mobile Applications are currently exempted from PCI and PA enforcement pending an update to the rules. As they are currently written, they acknowledge that they were not designed with mobile devices in mind. Mobile payment application developers are encouraged to follow the general guidelines of PCI, but they are somewhat left to their best judgement.

The bottom line is found found on the Consumerist Web site. A consumer is unwise to use a cellular mobile payment system as there are few legal safeguards compared to using a real credit card swipe or cash. My family will pass until the law catches up with were Google and some cellular manufactures are trying to go and holds them accountable. There is too much at risk for us in a world of foreign criminal syndicates itching to take advantage of these new opportunities that Google presents.

Re:Not tooo worried about this one

[JAlexoi]

Thankfully this is just an app that they can update OTA.

Re:Not tooo worried about this one

[Trashman]

One important difference is that in the credit card industry there are published rules that you must comply with called the Payment Card Industry Data Security Standard (PCI-DSS), or in the case of an application, Payment Application Data Security Standard (PA-DSS). If TFA is accurate, then Google Wallet is not following the PCI guidelines.

Much Like the Pirate code, They're more like "Guidelines" than actual rules...

Re:Not tooo worried about this one

[coolmadsi]

Nonetheless that means that the bank is storing your password in either plaintext or some form of reversible encryption. Were it hashed on their end they'd only be able to validate the entire password or nothing at all.

Could they encrypt/hash each character separately? So instead of one password field in a database, they have one field for each character of the password. Then each character is matched with the corresponding field. Or would encrypting/hashing a single character make the process fairly pointless? (I'm not a security expert so am mainly asking out of curiosity)

Re:Not tooo worried about this one

[TheSpoom]

I am also not a cryptography expert but in my slightly less than expert opinion I would say that hashing single characters would eliminate the point of hashing. It would make reversing the hash (which is supposed to be very difficult / impossible by design so that a malicious party couldn't get passwords even if they got a copy of the database) much easier.

Let's say you're hashing the value of a seven character password. If you hash then entire password, than there are (num_chars_in_alphabet ^ 7) possible passwords that could fit a given hash, and to reverse a hash (assuming a well-designed hashing mechanism) you'd have to examine all of them. (Yes, there are optimizations that one can do like only looking at lower-case alpha characters first, but it would still take some time.)

If instead you hashed single characters, it would mean that for each character you would have to examine (num_chars_in_alphabet) possible hashes to see which one matched, which could be done in less than a nanosecond usually (there are, what, maybe 200 possible inputs from a standard PC keyboard?). Repeat for each character, and it's still very easy to do by brute force.

Re:Not tooo worried about this one

[coolmadsi]

OK, that makes sense, thank you for the insight :)

NFC

[anchovy_chekov]

No Fucking Clue?

Re:NFC

[CodeReign]

Nearfeild communication 1-4 cm transmission devices. Like pay pass.

Re:NFC

[sidthegeek]

whoooooosh...

Re:NFC

[phonewebcam]

That's what Apple tells its users when they ask why it wasn't on the iPhone 4S. The one with the tiny screen. And no 4G. Thankfully all that will change next summer when it will of course be trumpeted as a fantastic innovation on the iPhone5 and Apple can begin the busy work of suing everyone else copying their work.

Actually NFC is even funnier than that - they way the rollout is going you'll soon have checkouts offering "Fast Phone Payments" or however they spin it, so those with the right equipment (cough!) can zip past those standing in line next to them at the regular checkout with their fingers in their ears going "la la la la don't need that la la la pretend we're outside an Apple store la la la".

Re:NFC

Your obsession with Apple is unhealthy.

Re:NFC

[WrongSizeGlass]

Your obsession with Apple is unhealthy.

You know the old saying: An Apple rant a day ...

Re:NFC

[Stewie241]

When the equipment is good paypass is much faster. No waiting for change. Just tap the card on the machine and you're done.

Compare that to when I went to the dollar store the other day and I had to wait patiently while the clerk punched the numbers in on the calculator to figure out how much change to give back when I gave her a $2 coin to pay for a $1.13 purchase.

Re:NFC

It's a good thing Credit Card numbers can't be captured and duplicated or even just guessed.

Re:NFC

While your predictions will probably come true, wait for Apple and its fans to actually take these actions before calling them on it. There's plenty of stuff to hold Apple to now without making up bad stuff they may do in the future.

This line of reasoning can be applied to many things besides Apple/Android flamewars as well.

Stupid headline

[Ultra64]

"Stores Card Data In Plain Text"

isn't quite the same thing as

"suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"

Re:Stupid headline

RTFL: "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext."

Re:Stupid headline

Neither statement is completely clear, but as I see it Google Wallet is storing (some) data about the card in plain text, which may be enough for anyone that discovers it to obtain further details about that person and their card from the financial institution via social engineering.

To me this means if you lose your phone, it may have enough information on it to enable the finder to then get your credit card details through social engineering.

Re:Stupid headline

[stephanruby]

Also it cites the PCI standard, but that applies only to a full credit card number that has been transmitted already.

In this case, it only keeps the 4 digits of the card number and the expiration date in plain text on your own phone. It's not bad compared to a regular wallet that will keep the full credit card number, the expiration date, the full name, and the verification code as well, all written in plain text on some flat piece of plastic.

Re:Stupid headline

[Nick+Ives]

Oh, so this is on a users phone? (Yea I didn't read FTA).

If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.

Re:Stupid headline

[phantomfive]

The following is the data listed by the article as being stored in plain text:

[data] such as a cardholder's name, transaction dates, email address, and account balance

Maybe enough for social engineering, probably not.

Re:Stupid headline

Not so fast.

If the user data is encrypted with a user-supplied password (even if it is automatic and partially use the login password as a source), then even if you are root, you cannot decrypt the data.

It's like when your Home folder is encrypted; you can force-change the password if you have root access, but then, the data is not decrypted.

Re:Stupid headline

[sangreal66]

This 'social engineering' attack requires root on the user's phone as well by the way. A lot of effort just to get someone's credit card number.

Re:Stupid headline

[kwark]

The plain text stored passwords and the card details are not really comparable.
The plain text passwords for certain services have to be unlocked at boot to make these services function, they have to be kept open for background use even the phone interface might be locked (just like the home dir). The card details can be kept encrypted at all times except when actually being used, which should always happen interactively.

Re:Stupid headline

[AmiMoJo]

That's why it is important to report it lost as soon as possible.

Lost credit card statements are worse as if intercepted in the post because you won't even realise it until it has been missing for a few days.

Re:Stupid headline

[neokushan]

I'm curious as to what social engineering technique could be used to find a card number? I have never seen a website that will reveal credit card info as anything other than **** **** **** 1234, nor have I ever heard of a bank that will give out your number over the phone. The only thing they ever do is post you out a new card and disable the current one.

Seriously, phone up your bank and say "Hey it's Mr Smith here, I left home without my card today and I absolutely must buy this cute thingymabob on the internet, I know the last 4 digits are 1234 but that's it - could you help a brother out?" and see what happens. Then there's the CVN which shouldn't be stored in ANY payment system - except maybe the card authenticator themselves (i.e. Visa/Mastercard).

Re:Stupid headline

But the apps' SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates -- information that viaForensics says could be used, for example, as a way to social-engineer the actual credit-card account from the cardholder.

Re:Stupid headline

[Threni]

> Also it cites the PCI standard, but that applies only to a full credit card number that has
> been transmitted already.

No it doesn't. PCI also relates to storage of information.

Although you're quite right about the harmlessness of storing the last 4 (and the first 6, come to that) digits in plaintext. That it could be argued that this faciliates 'social engineering' scams is neither a PCI compliance issue nor is it Google's fault/problem. You could just as well suggest that a phone number, surname etc be kept secret for that reason.

Re:Stupid headline

[Splab]

If I have your mobile phone with access why would I bother trying to get to your creditcard when I can get pretty much anything I want - it has access to E-mail, SMS, friends and family.

I could just try and grab all your passwords, getting to your online email client before you do I can probably change settings enough for you to be unable to quickly recover anything. From that point I can start initiating scam mails at your friends and family.

Having a credit card number is only useful for a limited time; having access to all your personal data will enable an attacker to keep stealing.

Re:Stupid headline

[WrongSizeGlass]

I'm curious as to what social engineering technique could be used to find a card number?

The target is not the bank or credit card company - it is the owner of the phone ... and remember, it doesn't have to work often (or on /.ers):
- Someone with malicious intent gets your Google Wallet info from your phone (either via malware or acquiring your phone).
- They contact the owner of the phone claiming to be from one of the stores that is listed in the plain text Google Wallet transaction history.
- They tell the owner of the phone that their records show that your Google Wallet was charged <insert excessive amount here by moving the decimal two places to the right> and surely that amount is not correct.
- They blame the error on the new payment technology (e.g., "they still haven't worked all the bugs out", etc).
- The remind the owner of the phone to pay close attention to their next statement just in case this happened with any other retailer.
- They tell the owner of the phone that they need the CC# and CCV to issue the credit because "they don't store that information for security reasons".
- If they've played their role correctly the owner of the phone may provide the requested information.

Re:Stupid headline

[um...+Lucas]

Phone call:

" hi this is the chase anti fraud department. We've noticed some suspicious activity on your account. Can you verify if you initiated the following charges? Oh you did that's great. I just need to verify if you're in possession of your card right now. Can you please read the 16 digits off the front of it for me?"

I wouldn't fall for it. You and most slashdotters probably wouldn't either. But rest assured there are still millions who would. Those same people who go clicking every link they find in their emails, I'm sure a few of them would succumb to this sort of attack. Letting the their get enough information about you so that they can sound like the should have this info is a bad thing.

I'll jump on the band wagon that says this is incredibly irresponsible. Especially if it's tri that the program is x"protected by a PIN". The developers recognized that the program stores and accesses vital data, but didn't take the next step of insuring access too all of its data would be blocked without that pin.

Oh that's right. It's safe because only someone with root access can access it. Even though rooting an android phone is hardly rocket science. (that last statement is conjecture since I no longer use an android)

Re:Stupid headline

[mjr167]

I'm pretty sure they can do that without whatever info google wallet stores. All they need to do is pick a major bank in the area and chances are a good number of people will have an account there. Or just watch the US mail... Ever think about how much your postman knows about you?

Re:Stupid headline

[swillden]

Oh, so this is on a users phone? (Yea I didn't read FTA).

If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.

Root access is also required for this attack. Without root, a person with your phone can't get the unencrypted data. Rooting the phone via normal means (i.e. not exploiting some other security defect) will wipe the data.

Re:Stupid headline

[MrMickS]

Its actually a bit worse than this. It gives a bonafide target for a trojan.

Re:Stupid headline

[Idbar]

Isn't this, the same that happens if you lose your wallet? I guess that's part of the reason is called "wallet". It acts like one. The question is if there's enough information available to those just "looking"

Re:Stupid headline

[Nimey]

Oh, so this is another "google is evil!" non-story that the editors didn't bother to fact-check, but is good for driving page hits.

This never happened before Taco left.

Re:Stupid headline

[Sloppy]

If you're root, then surely you can do anything including invoke any methods used for decryption

On your laptop, if someone steals it while it's turned off, they can do anything they want, including becoming root, and they still don't get to read any of the files in your home directory without the [LUKS|truecrypt|whatever_you're_using] decryption key. Having both root and physical access isn't enough unless they manage to get the system while it's already up.

"Invoking the methods used for decryption" is pointless unless you have they key to pass to those methods.

Sensitive data (or maybe just everything) on phones should be handled that way too.

Personally, I wouldn't put the burden for that on a "wallet" type application; it should be part of the OS itself, at the device level (or possibly filesystem level). AFAIK Android doesn't yet use encrypted devices or filesystems, so flaming the wallet itself might not be perfectly appropriate. But the flaming system as a whole? Sure, especially if it's going to be marketed as a payment system. And especially since we all know the kernel it uses is already very capable of doing this stuff, out-of-the-box.

It just goes to show how far these handheld PC OSes still need to come, before they catch up to reasonably modern expectations for a PC.

Re:Stupid headline

[Bill+Dimm]

You could play out that entire scenario without the Google Wallet info. Look up the phone number from some random person in the phone book, call them, and say "Good morning Mr. Smith, I'm with your bank's fraud unit, and we saw a large transaction on your Mastercard and wanted to verify that it is legitimate..." Sure, it might be a little more convincing if you knew the last 4 digits of the card and info about an actual transaction, but that just bumps up your probability of success a bit.

Re:Stupid headline

[PGGreens]

I tried contacting them a bunch of times, but they never answer their phone...

Re:Stupid headline

[bmd256]

...AFAIK Android doesn't yet use encrypted devices or filesystems, so flaming the wallet itself might not be perfectly appropriate...

Maybe Android 4.0 will have full system encryption. I know 3.0 does, but that is kinda useless at the moment as 3.0 is only for tablets.

Re:Stupid headline

[Ultra64]

> It's safe because only someone with root access can access it.

Just like anyone with your wallet can access all of your credit cards.

Re:Stupid headline

[um...+Lucas]

Yes, anyone can call and say they're a bank. And they might know your name, which shouldn't be enough to authenticate, but a few people here and there will fall for it anyways. There's no helping them.

But if someone calls with your name, knows transactions that you've recently made, and has other identifying information (including your credit limit. That way, once they determine your card is "safe" they can offer to raise your limit from XXX (which they know) to YYY (a made up number). Of course that won't do anything, but it's just more information for them to appear legit.

I can't believe there are so many people here overlook all of these issues. Social engineering is a real threat, and giving thieves more and more information so they can be better "armed" by appearing more legitimate is a bad thing. True it's not as bad as leaving a database wide open with creditcard details, but it's still unacceptable that any information of this information should be accessible if a phone is lost.

Re:Stupid headline

But this is entirely asinine.

I could just as easily steal your entire phone and demand that you give me your credit card number (or the "keys" that will allow me to access it) lest you lose your beloved gadget. Hell, I could steal your actual credit card which has all your credit card info (number, CVV2 etc.) printed, in unencrypted form, right there on the card to achieve the same thing.

You know, the old rubber hose technique.

Re:Stupid headline

[Pieroxy]

Pretending to be the bank out of the blue is going to raise more eyebrows than pretending to be the store the dude went to the day before, especially when the caller can substantiate his claim by citing what the user bought there.

Re:Stupid headline

[Archangel+Michael]

"I"m at work right now, and my credit card is at home, can I get your phone number so that I can call you back with that information once I get it? Thanks."

Re:Stupid headline

[Archangel+Michael]

Ha! Postman doesn't know shit, or at least doesn't give a shit. S/HE still delivers mail for the previous owners after 4 years of NOT living there. In addition, even if they did pay attention, the only things I regularly get are bills (Utilities) and used books (cheaper than Kindle/Nook ebooks) for my wife. Yawn.

Re:Stupid headline

[mjr167]

Our postman brought us mail that miss-addressed once. Right after my daughter was born we were getting a lot of packages from relatives sending us stuff and one of them transposed the house numbers. The postman noticed and brought it over saying "I think they meant to send this to you." I think your's just doesn't care. So how do you not get credit card offers and balance transfer offers, etc? I would encourage to actually look at your junk mail at some point. You might notice a correlation between what you get and what you buy/who you do business with.

Re:Stupid headline

"suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"

Agreed, social engineering is sufficient to allow social engineering to obtain a credit card number.

Re:Stupid headline

[lwsimon]

As connected as I am, you can't access my wallet from the Internet.

Well, okay, you can access my Bitcoin wallet from the Internet, but that wasn't what we were talking about :)

Re:Stupid headline

[delinear]

No, they're talking about obtaining the details from the cardholder, not the institution. In other words someone calls you saying they're from your credit card company, they read back to you your name, the last four digits of your card and, say, the amount and date of a recent transaction (all info stored in plain text) to prove who they are, and to confirm they are speaking to the right person they ask you to confirm just your credit card number and CVV. Now the average slashdotter is probably savvy enough to question this, but a lot of people would fall for a scam when the person perpetrating it appeared so well informed.

Of course, they still need to be able to access the data from the device in the first place (and things like MitM attacks didn't work so they'd either need to get hold of your phone or get malware onto the phone to retrieve that information) so it's not a "run into the streets screaming in panic" issue, but it is an issue. Full disclaimer: my shiny new Galaxy Nexus arrived Wednesday (although Google Wallet isn't available in the UK yet) so I say this from a place of some mild concern, although I'd be surprised if this wasn't fixed pretty quickly.

Re:Stupid headline

[delinear]

Are these incredible lengths to go to? Yes. Do criminals go to them? Sometimes. The point is, better safe than sorry. I refuse to give out any information about my cards or accounts to a phone call out of the blue. If someone is calling from my bank's fraud department, they won't mind if I suggest I terminate the call and dial the bank back directly, just to be sure, that doesn't mean it wouldn't work on some people. I still don't think it's a major issue given you'd need to get the details from the phone in the first place, but if it's a simple loophole to close, why not just close it to be safe?

Re:Stupid headline

Oh, so this is another "google is evil!" non-story that the editors didn't bother to fact-check, but is good for driving page hits.

This never happened before Taco left.

Oh bullshit. Slashdot has been second only to 4chan in useless garbage for quite a few years.

Re:Stupid headline

According to this script it seems as thought he Google Wallet is of no value. This could be done with any random phone number and any random popular online store. The Google Wallet is a slight refinement of a generic social engineering trick and it only works with Google Wallet users, and the generic trick will work on a much larger subset of people.

Re:Stupid headline

Rooting your phone *while keeping existing data on it* is rocket science until there is a root exploit, which is something that would be quickly patched.

Re:Stupid headline

If you grab a copy of a customer receipt (which a lot of people just throw out) you could accomplish the same thing -- last 4 digits of the cc# and transaction information.

Re:Stupid headline

[Nimey]

I said the thing about Taco for teh funniez.

Re:Stupid headline

[Keyboarder]

Starting with 3.0 Android supports full device encryption. Considering the only phone that supports Google Wallet officially (I have it running on my Galaxy Nexus, but I had to hack it onto there) is Sprint's Nexus S, and that the Nexus S will be updated to 4.0 fairly soon, your objection should be met in a decent timeframe. That's not to say there hasn't been a window where this wasn't the case, but it should be fixed soon enough. Also, the standard method (and only way I'm aware of) to root the Nexus S involves a full wipe of the device. Some other devices don't allow rooting via this method so other methods are explored to utilize some security hole somewhere (meaning no full wipe), but the Nexus devices already have an easy way to obtain root so these security holes aren't normally sought out. All the more reason for OEMs to ship unlocked phones.

Re:Stupid headline

Actually, my credit union did almost exactly that, though it was an automated message I was supposed to reply to. Of course I thought it must be a scam for them to ask me to enter the full CC number, AND other identifying information. I ended up googling the number of the calling system and it others had already dealt with the CC vendor, and the number in fact was from the right people.

Since then the same thing has happened when I do something like order expensive items on the web from someplace I haven't ordered from before. Though it all works smoothly. Stupid system, but some really do ask for the whole number. If I ignored them, they would have shut down my card.
(actually, I think I called them as well... it was a long time ago now...)

Re:Stupid headline

[JAlexoi]

Unfortunately beyond getting the name nothing is in the data stored that you couldn't get from a receipt. In addition, why would the store know my name and a phone number?
The big problem there would be acquiring the right phone number. I have not seen a lot of phones that report the correct MSISDN.

Bitcoin is more secure than ACH

[Todamont]

Bitcoin uses encrypted wallets which are not linked to your name or address. It is the strongest computer in the world and it supports p2p DNS through namecoin. It is much more secure than online banking with ACH, and much harder to usurp than centralized BIND servers. Plus they won't print 1,000,000,000,000 of them this year.

Re:Bitcoin is more secure than ACH

[mark_elf]

... It is the strongest computer in the world...

I'm scared of this.

Re:Bitcoin is more secure than ACH

Bitcoin uses encrypted wallets which are not linked to your name or address. It is the strongest computer in the world and it supports p2p DNS through namecoin. It is much more secure than online banking with ACH, and much harder to usurp than centralized BIND servers. Plus they won't print 1,000,000,000,000 of them this year.

Thank you for paying with BitCoin now just have a seat over there while we wait for your 6 confirms then we will cook your burger...

Re:Bitcoin is more secure than ACH

[Capitaine]

"HAL, would you please let me open my wallet?"

Re:Bitcoin is more secure than ACH

Why would anyone require a much higher certainty from Bitcoin transactions than credit card transactions? In the latter case, you'll have to wait 6 months pending eventual chargebacks.

In Bitcoin's case it's enough to see that there was no duplicate TX being performed, thus the waiting time should be a few seconds at most.

Re:Bitcoin is more secure than ACH

[cvtan]

I'm sorry, Dave. I'm afraid I can't do that...

Re:Bitcoin is more secure than ACH

[Nimey]

Because the common person doesn't know anything about Bitcoin, hence there's no trust. Trust is of paramount importance in any monetary system.

Re:Bitcoin is more secure than ACH

[lwsimon]

Yet.

Check out Bitcoin Spinner in the Android Market. It has solved the primary problem with Bitcoin in my opinion, which is that it was difficult for non-technical users. It's still a little rough, but it works well.

I've been using it with some (not geeky) friends to split checks at lunch and the like. They like it, and I even heard one ask a local coffee shop if they would accept them :)

Re:Bitcoin is more secure than ACH

[SFtheWolf]

Plus they won't print 1,000,000,000,000 of them this year.

They sure won't. They've printed all they needed to get rich and cash out already.

No kidding.

[SeaFox]

viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.

Correct me if I'm wrong, but isn't social engineering the art of tricking people into giving information or access they wouldn't normally? If the security is breached through human gullibility I don't see what method of storing the data is going to protect against that, unless it's storing it where nobody but PCs have access to it and no humans have access to said PC's.

I can socially engineer the card holder to give me their card info and you can't encrypt against that.

Re:No kidding.

[geminidomino]

I think the point being that if you can trick someone into giving you a file that they don't know contains their credit card number in plain text, unlike giving you the card number directly, they don't even know what you have.

Re:No kidding.

[caladine]

I think the point was that it makes it easier to pull off the "social engineering" if you have access to information only privileged parties should have. They should still be encrypting the locally stored data, and it's just lazy not to.

Re:No kidding.

[Jah-Wren+Ryel]

You are only seeing the little picture. The idea is that if someone can get ahold of this data (like say they snatch your phone) then they can use that data to trick you into believing that they are someone trustworthy, like a rep at your bank.

For example, they get your payment transaction history and then they call you up - tell you your transaction history as a means of authenticating themselves as someone who works for your bank and then get you to disclose your online banking username and password, at which point they empty your entire savings account.

Re:No kidding.

Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up about your Google Wallet account?

Credit card transaction data is not that hard to get by just going through someone's trash too. This isn't really a new problem.

Re:No kidding.

[SeaFox]

You shouldn't trust they are who they say they are if they call you anyway. Lots of people throw out old bank statements without shredding them, and even if they did with their bank statements collecting enough random receipts all paid with the same debit card would give you enough transactions for a time period to make you sounds official. You should request to call the bank back about the matter and then dial them yourself -- from a known general customer service number for the institution, not a direct number the caller might give you.

Re:No kidding.

[maiki]

I can socially engineer the card holder to give me their card info and you can't encrypt against that.

Compare:

"Hey man, could I borrow your phone for a sec to call home? Mine ran out of battery."

"Hey man, could I see your credit card for a sec? (Mine ran out of money...)"

It's easier to agree to the first one.

Re:No kidding.

[sangreal66]

Indeed, but if someone steals your phone and it isn't protected they probably have a lot more information than what is being described here. The information stored is about the same as you might find on an ATM receipt with the addition of the expiration date. All of which I can probably get from your e-mail/facebook/sms/etc

Re:No kidding.

[JWSmythe]

Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up

    That'd be a really cool trick.

Re:No kidding.

[JWSmythe]

It all depends on your definition of social engineering. I find the best results come with a $5 wrench and a few minutes in an alley. People become very cooperative to anything you ask for.

Re:No kidding.

[um...+Lucas]

You're missing the point. They're not calling about google wallet. They're calling about your credit card. You might inquire as to why the phone theft and cc are related and the "rep" would just say "some phone apps store credit card information on the device", and then proceed to read off a list if your recent transactions to "verify" you.

As I said earlier most of us won't fall for this but if you think no one will, then you over rate the intelligence of the human race. Best not to leave that data available to be found in the first place... The fix for this is just a single additional step, it shouldn't have even been an issue.

Re:No kidding.

[strength_of_10_men]

Except that the plain-text file contains only the last 4 digits of the CC info, fully missing the other 12 digits. Hell, almost every bill auto-pay system I use regularly sends me an email containing my CC's last 4-digits. But otherwise, yeah, exactly like you describe.

Here's one of my CC numbers: xxxx-xxxx-xxxx-2932. Have fun with it.

Re:No kidding.

[Stewie241]

You would think businesses would encourage this. Here in Canada, we have a phone company, Bell Canada, which states on their web site that reputable businesses won't call you and ask for credit card information. Yet, one time I forgot to pay my bill and they called up and asked for my credit card information over the phone. It sounded very legitimate. I asked to talk to the manager and they directed me towards another person who apparently didn't see anything wrong with the practice.

It is businesses like these that are making the social engineering approach easy - they train their customers and teach them that it is a normal thing to give people credit card information over the phone. It really isn't hard to do if you're anything remotely close to being a good actor/actress.

Re:No kidding.

[Stewie241]

Well, I see your low ID and can only conclude that you have been cryogenically frozen and have just been woken up. I feel I should tell you that a wrench that will be in any way menacing costs more than $5 these days.

Re:No kidding.

[Sloppy]

I know you're going for the joke, but from a serious aspect (here come the "whoosh" replies) that is lousy SE because the victim knows what you're doing. Unless you kill or incapacitate them, then after you leave they're going to call cops, cancel cards, etc. Good SE requires the victim not know they were attacked. You can't do that with a wrench.

I guess this is getting to be an automatic button with me. Every time someone brings up crypto, someone else brings up the wrench, and it's almost always wrong. (Damn you, Munroe!)

Re:No kidding.

[swillden]

I think the point was that it makes it easier to pull off the "social engineering" if you have access to information only privileged parties should have. They should still be encrypting the locally stored data, and it's just lazy not to.

Encrypt it with what key?

This attack already requires a rooted phone. If the attacker has your phone, and has rooted it, then he has access to any key stored on the phone.

The key could be derived from your PIN, but that's four digits. How long does it take to brute force search 10^4 possibilities? Milliseconds. This would be a ciphertext-only attack, so the the attacker would need to be able to recognize the correct plaintext. If all of the potentially-sensitive data were encrypted, picking the correct plaintext would be trivial. If only the most-sensitive info -- last four and expiration -- were encrypted, it would be harder, but not much, given that valid months must be in the 1-12 range and valid years must be within current + 2-3. In fact, all but ~3% * ~12% = ~0.36% of plaintext candidates could be excluded out of hand.

Perhaps a custom compression function could be used to compress all of the available entropy into as few bits as possible before encryption to make it harder to discard plaintext candidates -- but keep in mind that there may be multiple cards stored in the app, so the compression function would have to be flexible enough to handle an arbitrary number of cards, without getting weaker. It would also be good if it could include the user's name, etc. I suspect it could be done, but it's well beyond just "non-laziness". In fact it's a mini research project.

The real solution would involve putting the data in the SE, but that would require modifying the payment app. I spent over a decade working in that space (smart card payment) and I think even Google would shy away from modifying the MasterCard PayPass app. The certification costs for any change are staggering. Not that Google couldn't do it, or afford the certification, but it would be a tremendous cost, to protect data that is (a) on every plastic card out there (compare losing your Google Wallet phone with losing your regular wallet) and (b) pretty widely available even without the plastic card.

(Disclaimer: I work for Google, and part of my work is related to Wallet, but I have carefully restricted my comments to exactly what I would have said based on the knowledge I had before joining Google.)

Re:No kidding.

[swillden]

"Hey man, could I borrow your phone for a sec to call home? Mine ran out of battery."

More like "Hey man, could I borrow your phone for an hour, hook it up to my computer, use an exploit to root it without wiping it and then go rummaging around in the contained SQLite databases?"

Okay, the attacker obviously wouldn't ask that. But this requires far more than borrowing a phone "for a sec" to make a phone call.

Re:No kidding.

[impaledsunset]

Yes, that's it. I don't understand why would you want to encrypt anything unless you have passphrase support for it, or some other form of secret that makes the encryption do something. If you don't protect the key with a secret, the encryption is no longer an encryption.

Unless you have your phone ask you for a very long passphrase, any encryption is pointless. So you have only three options:
1) Use an encrypted key chain or better full disk encryption with a really long passphrase which is incredibly inconvenient to enter on a phone.
2) Don't store sensitive data to the phone.
3) Don't lose your phone.

Anything else is snake oil.

Re:No kidding.

[gnapster]

(Disclaimer: I work for Google, and part of my work is related to Wallet, but I have carefully restricted my comments to exactly what I would have said based on the knowledge I had before joining Google.)

Partitioning your knowledge like this is an interesting and valuable skill. Did they teach you this before or after teaching you the secret of levitation?

Re:No kidding.

[swillden]

(Disclaimer: I work for Google, and part of my work is related to Wallet, but I have carefully restricted my comments to exactly what I would have said based on the knowledge I had before joining Google.)

Partitioning your knowledge like this is an interesting and valuable skill. Did they teach you this before or after teaching you the secret of levitation?

It's not that hard. I just thought about what I would have said if presented with this same story a year ago. Since I was actively thinking and discussing such things at that time, it wasn't difficult.

Re:No kidding.

[Archangel+Michael]

That's MY Card (and luggage combo) !

Re:No kidding.

XKCD called. They want their joke back.

Re:No kidding.

[ColdWetDog]

XKCD called. They want their joke back.

Nah, Randall's cool with it.

Re:No kidding.

[JWSmythe]

    And I can see by your high UID that you are fairly new to the Internet.

    Let me introduce you to the wonders of online shopping. You too can buy a $5 wrench.

    Actually, $4.65.

    You may want to look at local pawn shops, yard sales, and flea markets. Just like prostitutes, if you look in the seeder areas, you can get something much bigger, for less money.

Re:No kidding.

[Jah-Wren+Ryel]

You shouldn't trust they are who they say they are if they call you anyway.

Of course not. But there is a sucker born every minute. If they can automate it such that they don't need to physically snatch a phone, just get virus on there that emails the plaintext file to the scammers' server, they could try this trick on tens of thousands of people without much trouble. 1 out of 100 is sure to take the bait.

Re:No kidding.

[Stewie241]

I guess I was thinking something more in the range of http://www.americawestdrillingsupply.com/Products2/PipeWrenches-Ridgid.asp?gclid=CNP_r7CBiK0CFWgEQAodklGomQ.

*shrug*

Re:No kidding.

[JWSmythe]

    That'd be $5 at a yard sale. :) The price is what you pay for it. The supply chain and vendor aren't significant.

Re:No kidding.

[JWSmythe]

Nah, I didn't say it for the XKCD reference. I'm just kinda blunt. :) If I want to steal your credit card, I'm not going to call you up, and try to get it from you gracefully. I'd probably kick you in the nuts, and follow that up with ... well ... a $5 wrench to which ever part looked like it wanted to be hit. Then I'd say "May I have your credit card please?"

    "... and your cell phone ..."

    "... and your car keys ..."

    "... and do you mind holding my wrench with your head? Thank you."

    See, please *and* thank you. I do well with the social graces.

    I found my kindergarten report card. Under "Socialization" it had the box checked "does not play well with others."

    I see "social engineering" as being "social" (with others), and then it's an engineering challenge.

    But hey, I see a Rubik's cube as being an engineering challenge too. I can solve one in about a minute, if they use the regular attachment method. 45 degree twist, and push at the corner. Now it's like a 3d jigsaw puzzle. People only say it's cheating, because my way is faster than theirs.

Re:No kidding.

[JAlexoi]

Well.... That's too ridiculous. If someone is smart enough to root their phone and provide you with a file that is in such an obscure location, they are not going to give you their CC info by definition.

Nothing to see here, move along...

It stores the last 4 digits of the credit card, so you know which card was used in your google wallet. My telephone company does this, as does paypal if I remember correctly. Whilst it may not be stored easily in plain view of anyone, I think someone breaking into either of those accounts would be more likely than someone first stealing my phone, rooting it then access the sqlite DB.

To be honest, I am more afraid of my local 7/11 employee who swipes my credit card every day in plain view when I buy milk, newspaper and mamma noodles. I think even some POS systems display the card number on their terminal screen!

These days, I think most credit cards have secondary verification systems in place so even if someone did get my card number, it would be very difficult to use. I already have a hard enough time booking airline tickets online and trying to remember what my Verified by Visa password is. Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.

Re:Nothing to see here, move along...

amazon too

Re:Nothing to see here, move along...

[X0563511]

You are not required to hide the first 6 digits or the last 4. That part of the card is not "sensitive"

Re:Nothing to see here, move along...

[swillden]

Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.

I think what you're referring to is that Verizon has refused to allow Google Wallet on the new Galaxy Nexus, and has used this as part of their justification. However, it seems more likely that their real concern with Google Wallet is that they're part of a consortium (ISIS) which is developing a competitor to Google Wallet. Verizon wants to be able to rent space on the secure elements in the phones on their network. They figure credit card issuers and others will pay for the right to get their stuff installed in phones. I suspect they also have visions of someday cutting the card companies out of the loop and taking the transaction fees for themselves. Google offering the same service for free is not something they want to support, hence the FUD campaign.

Social Engineering

[asdbffg]

Caller: Hi, I'm calling from... er... Google... and it says here in this text file that you have a credit card number on file with us. Is that right?

Victim: Yes, that's right.

Caller: Cool. Would you mind giving me that account number so I can verify your identity?

Victim: Let me get my card...

Re:Social Engineering

[sidthegeek]

Victim: Funny, this guy with a Nigerian accent called me yesterday and said the same exact thing! Well, here you go... *reads number loudly into cellphone in a public area*

Re:Social Engineering

[hawguy]

I think it goes more like this:

Caller: Hi, this is Judy from Visa. We have reason to believe that your credit card number has been stolen, do you have the card in your possession now?

Victim: Yes

Caller: Can you verify that the last 4 digits are 1234?

Victim: Yes, that's my card

Caller: Can you verify the answer to your security question?

Victim: My mother's maiden name is "Cartwright"

Caller: yes, that is correct, thank you for verifying your identify. Our system has detected $17,372 of fraudulent charges on your card. but don't worry Mr Smith, we can immediately block the card and reverse the charges. We'll just need to you read the full 16 digit card number and security code so we can get started.

Many people will fall for the scam - the caller obviously knows the last 4 digits of their card number and their security question. (which, of course they don't, but it sounds like they do), so they must be legit.

Re:Social Engineering

[tagno25]

Last 4 digits and issuer are printed on most receipts. Sometimes even the name and expiration date are printed.

Re:Social Engineering

[L4t3r4lu5]

I don't answer the questions. I say "I'll save us both some time. If this is a sales call, I'm not interested, and you should remove my details from your marketing list. If there is an issue with my accounts, I'll call the number on my bank statement, because frankly I don't trust cold callers. Which is it?"

They seem quite accommodating. They've done their job by contacting me, and I avoid all social engineering attacks.

Re:Social Engineering

[Tim+C]

I applied for and received a new credit card with a provider here in the UK a couple of years ago (name omitted). A few days later someone phoned me, claiming to be from them, wanting to discuss something about my card - but first I needed to answer a couple of security questions to confirm my identity.

I challenged him to confirm his identity; all he did was reaffirm his claim to be calling from my card provider but without offering any proof beyond that. I refused to proceed, pointing out that I had no proof that he was who he claimed to be, and asked if it could be done online via their account access website. He eventually hung up.

The thing is, I expect he probably was telling the truth, but with no proof there was no way in hell I was dealing with him.

Re:Social Engineering

My bank only asks if I made such and such specific transactions. If I say no, they block or reverse charges and kill the card without asking any verifying information.

Re:Social Engineering

[lwsimon]

I always answer the security question incorrectly the first time. If they say it's right, I ask to speak to their supervisor :)

Re:Social Engineering

[bruno.fatia]

I'm quite the opposite, I really like talking with scammers and giving them bogus info :)

Re:Social Engineering

[JAlexoi]

Indeed, my best communication with a Nigerian scammer involved me giving them my "contact details" - Ngundongo Alituku an employee of Lusaka port authority :-D
And I still have a few acounts here and there to maintain that "identity" :-D

It's the last 4 digits

[hawguy]

From TFA:

While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database.

The same last 4 digits that are printed on your credit card receipts and show up as plain text on many web sites that store credit cards.

Doesn't seem like a big deal - people should know better than to give their card number to someone that has the last 4 digits of their card number since they could have gotten them anywhere. (or just guessed - send a spam email to 10 million people with a randomly generated 4 digit number, and you'll have guessed right for 1000 of those people.)

Re:It's the last 4 digits

[Lando]

More than that because you would say card ending in xxxx and since people have multiple cards the hit ratio would be a bit higher.

And so?

[Cyberax]

And so what? Your phone must be able to decode the stored data, so it must somehow acquire decryption key.

That means that this decryption key must be transmitted over the network or stored on the device itself. And if it's stored on the device, then the whole encryption scheme is nothing more than complex obfuscation.

Re:And so?

[icebraining]

Well, they could possibly encrypt it with your PIN, no? Although since AFAIK most people use 4 digit PINs, it'd take about a second to decrypt it.

Re:And so?

Using a 4 digit pin to encrypt 4 digits of data is actually as secure as it gets. You'll have 9999 keys that gives 9999 seemingly valid outputs. Of course, if someone knows the last four digits of your credit card they can figure out what your PIN is.

Re:And so?

Why not public key encryption to get the decryption key?

I'd think there's some way they could prevent spoofing of a device's identity in order to make that work.

Re:And so?

[Cyberax]

Except that there is no way it can work offline.

Slashdotters don't hate Google enough...

[webanish]

...to start raising big concerns after reading just the title and not RTFA.

Re:Slashdotters don't hate Google enough...

bonch's trying, but as other apple b-boys aren't here - i mean basilbrush, bitztream, pretty sure there were some more apple lovers with nick starting with b - he's not trying too hard.

strange that insightin140bytes didn't show up, it'd be a perfect place for his usua easily disprovable fud postings.

So what?

[MisterJohnny]

So what if it's stored in plaintext on the phone itself? What matters is what's transmitted off of the phone.

Re:So what?

[hawguy]

So what if it's stored in plaintext on the phone itself? What matters is what's transmitted off of the phone.

I think it matters because if someone's phone is lost or stolen (or infected by malware) they don't want the card number to be stolen.

Re:So what?

[icebraining]

Thankfully the CC number isn't stored, only the last four digits.

Re:So what?

[blueg3]

If the phone is going to send the credit card number to a nearby device (which is what it's doing with NFC), then it needs to have access to the plaintext credit card number. So the phone can store the CC# encrypted, but it has to be encrypted with a key based on user input (which is generally short) or stored on the phone (which doesn't actually provide substantial security).

Not very clear.

[AftanGustur]

iaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.

This is very, very vague.. Something as simple as a email address could be used for this purpose.

It's not plain data!

[martin-boundary]

It's not plain data!

It's rot32 encrypted.

*twice*.

'Cause it's the only way to be sure...

Re:It's not plain data!

[Frankie70]

It's not plain data!

It's rot32 encrypted.

rot32 was broken 6 months back. I have moved to rot128 since then. It is 4 times stronger - sure it takes a little more power, but I can sleep well at night now.

Re:It's not plain data!

I think you mean ROT26 and ROT104 ....

Re:It's not plain data!

Which alphabet is that? I heard Englishmen use double ROT-13 and ROT-26 on their alphabet, we here in Bulgaria use double ROT-15 and ROT-30 on ours, but I've never heard of ROT-32. Where is this popular?

Re:It's not plain data!

[anonymov]

Other Cyrillic scripts? Belarussian, for example, or Russian without "Yo".

Re:It's not plain data!

[hplus]

No, I'm quite sure he means 32 and 128. Any idiot knows that ROT26 puts you back where you started.

not first NFC payment system on android

Android phones in here in japan have had mobile suica using sony felica NFC comms since early 2011...(toshiba, panasonic, sharp, etc)
This might be the first to use the samsung/google nfc tech, but definately definately not the first NFC payment system on androidn

This isn't exactly a security risk.

[idbeholda]

Leaving a receipt laying around from an ATM transaction is more worrisome. Even then, a bank rep wouldn't need to ask you for your card data, considering they already have it on file. Anyone who falls for a social engineering trick in which the operator requires data is clearly a fool.

For when you are too lazy.....

to even follow the link and lookup the summary..... here it is:
- A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.
- The name on the card, the expiration date, last 4 card digits and email account are all recoverable
- [Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.
- The Google Analytic tracking provides insights into the Google Wallet activity. While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)
- [Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits). While this is not enough to use a card, it’s likely enough to launch a social engineering attack.

So it is as safe as anything else you use to pay stuff!
Shit... it is easier to just swipe someone's credit card bill! ^^

Why is it a stupid headline?

[bonch]

I'm confused because you don't explain why "Stores Card Data In Plain Text" is a stupid headline. The statement you apparently cited as evidence restates that the data is stored in plain text and therefore may be vulnerable to social engineering attacks. Are you suggesting the headline is somehow contradictory to that? I mean, they both say that the data is stored in plain text, so what exactly is stupid about the headline?

Re:Why is it a stupid headline?

Because headline suggests "Swipe his phone and you've got his bank account in your hands" when it's "Swipe his phone and you've got a piece of information for further social engineering".

Re:Why is it a stupid headline?

[bonch]

The headline merely says the data is stored in plain text, which is true. There is no further implication made.

Re:Why is it a stupid headline?

[WrongSizeGlass]

The headline merely says the data is stored in plain text, which is true. There is no further implication made.

It should say "Stores Some Card & Transaction Data In Plain Text".

The headline was provocative and misleading because Google Wallet does not store the card number or CCV in plain text, both of which are considered the most important elements of card data.

This type of plain text data storage - even if it is just exp date, transaction dates & amounts, etc - is irresponsible, but TFA also said they needed to root the phone and get past Android security and Google security layers. Of course, if someone targets this data via malware that uses an exploit allowing root access then we're talking a whole different kettle of fish.

Re:Why is it a stupid headline?

[PoopMonkey]

Er... You're annoyed because the headline is provocative and misleading? I'm guessing you haven't seen many headlines...
Provocative yes, but I wouldn't say misleading in this case. Is there card data stored in plain text? Yes. You made an assumption here, and you know what they say about assumptions. I thought it was going to be talking about full credit card data too, so while it isn't as bad as I thought, it still isn't good.

Re:Why is it a stupid headline?

> You made an assumption here, and you know what they say about assumptions. I thought it was going to be talking about full credit card data too

LOL, "It's not misleading, but even I thought it was about something different and much worse"

Also, I hope you burn your receipts, as they give out the same info as this ain'tnogood flaw.

PCI DSS

Do you also feel that there aren't enough different three letter acronyms?

Re:PCI DSS

[heathen_01]

Yes, Three is the holy number, no more, no less.

Same as a sales receipt

[sl4shd0rk]

FTFA: "While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database."

Sheesh, big deal about nothing. You know how many gasoline sales receipts end up in the garbage can next to the automated upmp.

You know what else store CC numbers in cleartext?

[HaeMaker]

My credit card.

I'm going to steal someone's phone to get their credit card number? Why not take their wallet?

I don't want Wallet, thus stopped buying from Mark

I don't want to use Wallet, it's too intrusive and I have to give too much information to them.

For this reason I have stopped buying apps from the Market. I don't like this, but I don't want Wallet.

When I pay for an app, the only thing needed should be my CC number. No street address, no phone number, etc. That's the dealbreaker.

I'm not defending Google but...

[JohnnyMindcrime]

...I do work in security for a telecoms product manufacturer and maintainer and there are a HUGE number of companies out there that store credit card data in plain text.

However, you cannot just look at that one particular issue to make a determination as to whether or not the data is secure - it's also about how the system on which that data is stored is isolated from the real world, what firewalling and access controls are in place to restrict who can get to that data, whether or not they update the systems regularly, etc. etc.

This is NOT a security exploit, there's no report of any security hole that makes that data available to the rest of the world, unlike what happened to Sony - so some prespective needs to be put on this.

Any wise company conducts regular Risk Assessments on their infrastructure to determine what potential security risks exists, how big those risks are and how much it will cost to fix it. In this particular case, it might be that using encrypted credit card information might entail having to upgrade very expensive applications to a later version, all of which will factor into the cost of fixing the issue. If Google has determined that the risk of an outside party getting to that data is extremely low, then they may not consider it worth the expense of the upgrade.

Every company will do this, even Apple and Microsoft, and many of them do choose to adopt PCI (Payment Card Industry) guidelines on storing this kind of data correctly.

It could be argued that someone stealing a file of encrypted credit card data from a company is a much bigger issue than someone (so far) not being able to steal unencrypted data from a company - so it's always wise to put some perspective around these kinds of statements.

Which idiot posted this!?!

Google Checkout (now Google Wallet) is PCI DSS compliant as a Level 1 processor.

Given their compliance, no one has any basis to question the understanding the Google Wallet team has of PCI DSS requirements.

As someone responsible for PCI DSS compliance at their organisation, I can confirm that Google are not doing anything wrong here. Whoever posted this needs to do some reading, understand what they've posted and apologise.

Whoever accepted this submission for publishing needs to do the same.

Re:Which idiot posted this!?!

Bingo. Last four stored in plaintext is 100% OK by PCI.

Re:Which idiot posted this!?!

[Nimey]

That would be samzenpus, but it's not like any other Slashdot editor would have done better.

Did these journalists ever study security?

[fedorfedor]

They say the info is only available if the device has been rooted: the malicious software has root access. And their "solution" is that Google should store the local data in encrypted form. Anyone notice a fundamental flaw in this "solution", or heck, in the assumptions underlying their alleged problem?

If you rooted your device and therefore you disabled the security, what good is encrypting data locally? Any hack worth its salt would... well, I won't elaborate, but to software running as root, by definition, any locally accessible data and software is accessible. (And of course the same goes for an attacker having leisurely physical access to the hardware.) Basic security facts.

Honestly this all strengthens the argument for keeping all sensitive data only & always in the cloud: then the meagre security of your local device (pc, phone, whatever) might well not be the weakest link in the chain. This aspect did get a brief mention in the article, sort of, but it should have been the focus.

Re:Did these journalists ever study security?

> If you rooted your device and therefore you disabled the security

It doesn't quite work this way. "Rooting" is basically like adding user to sudoers file, IYKWIM. You don't get every application running as root afterwards, but you get the ability to let them. With a GUI su wrapper, you get a nice popup "Application X wants to get root access, accept? Y/N/[x] Remember this choice", optionally with PIN confirmation

Re:Did these journalists ever study security?

[anonymov]

Well, that's only if you yourself are rooting the device, not a piece of malware using some privilege escalating bug.

But then, if you've got user to install a rootkit, why stop with 4 last digits and transaction history, when you can just leave a logger to sit around and wait for all the account info?

Re:Did these journalists ever study security?

[fedorfedor]

Right - and the article's scenario is that some untrustworthy code has somehow obtained (with or without the user's OK) root access such that it can see the allegedly plaintext data and do something nefarious with it. But fundamentally they're complaining that in that scenario, said code running as root can (gasp) access private data. Well, duh, if they gave it root access, it's game over for local security: that's how root access works.

So?

[Kartu]

The last 4 digits of your credit card number, that are often printed on your receipts as "plain text" are also stored as plain text by Google Wallet.
So?

Re:You know what else store CC numbers in cleartex

Agree. I'm already carrying my credit card around unencrypted anyway. If NFC becomes widespread I can stop using the physical card and only risk losing 4 digits.

Re:You know what else store CC numbers in cleartex

[Mithent]

Valid point. This does smell a little of "security flaws" which start with "first, get root access"... ("It rather involved being on the other side of this airtight hatchway", as Raymond Chen puts it).

If you have someone's phone or trick them to run code on it that steal their Wallet database, that can be used to obtain some information which you might be able to use to trick them to revealing their credit card details? It's possible, but rather convoluted, and requires the user to make mistakes more than once; I'm sure there are far easier ways to commit fraud.

Read the PCI DSS!

The Payment Card Industry Data Security Standard requires that the account number be encrypted when stored, but it does not require name or expiration date to be encrypted. It does say they must be protected, meaning the environment in which they are stored should have the same protection as the environment used to store the encrypted card number (such as an isolated subnetwork that is regularly monitored and undergoes annual penetration testing).

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Re:You know what else store CC numbers in cleartex

[mjr167]

Mug them and take their real wallet?

The storage is PCI-compliant, based on the article

Actually even if PCI does apply to the mobile app, based on the article the storage does meet the PCI storage guidelines, which are not as stringent as you might imagine. PCI actually does not require encryption of the credit card number as long as it is truncated to the last 4 digits. And cardholder name and expiration date may be plain text. This is explained on p. 8 of the PCI-DSS v2.0 spec, and in Requirement 3.4.

That said, the plain-text storage is incredibly stupid, and any payment apps on a phone should go above and beyond PCI requirements. And apart from the storage, the rest of the data path needs to be examined to look for other unencrypted links.

Must have more info.

[sgt+scrub]

If they have your phone and have gained enough access to gather this information, why don't they just use your phone to empty your accounts? Why bother going through all the trouble to snarf data and social engineer the owner? The article should be more clear on if an installed application other than Google Wallet can access the Sqlite3 file. If that is the case, encrypted or not, it is broken. If that is not the case then they didn't find anything very useful. Who, that is capable of rooting a phone and installing alternative OS, is going to fall for social engineering attempt after loosing their phone. You would have to be the dumbest geek on earth.

Re:You know what else store CC numbers in cleartex

My credit card.

I'm going to steal someone's phone to get their credit card number? Why not take their wallet?

Because someone's real wallet is not connected to the Internet and cannot run my malware. Android on the other hand is quite accomodating to malware and various exploits.

Re:You know what else store CC numbers in cleartex

[Bill+Dimm]

I would assume the concern is more with malware harvesting the info from thousands of phones via some security hole, rather than someone stealing phones one at a time.

My wallet...

My wallet stores my credit card details in plain text - does that mean it's not PCI compliant?

Re:You know what else store CC numbers in cleartex

[esocid]

The good news is that viaForensics confirmed that the app does repel man-in-the-middle attacks, and is protected by a PIN to conduct transactions with the cards.

Isn't that the important part? If someone steals my phone (which is encrypted btw - galaxy nexus ftw) they're going to have an easier time just grabbing my wallet to make fraudulent charges.

Google Wallet? Really?

[assertation]

AFAIK Google is only 1 notch more trustworthy than Facebook. I can't see anyone in their right mind, who isn't rationalizing to accept a convenience, willingly turning over their financial information to either organization.

Just more smear campaign against Google

[walterbyrd]

I wonder who financed this "news."

I wonder is biased blogs should be used for "news."

No journalists just google hate blog

[walterbyrd]

And slashdot thinks this is news.

well then...

fire the stupid programming engineer crack monkey!

Your Analog Wallet Stores in Plaintext too!

HOLY CRAP. EVERYONE'S WALLET HAS A HUGE SECURITY HOLE!!!

If you take our your card you will notice that all of your credit cards have account numbers on them and your card holder information stored on plain text!!!! SECURITY BREACH!!!! EVERYONE RUN AROUND AND SCREAM!!!!

Better security than your actual wallet

Theif - Hi I'm from chase and we have noticed some wierd activiy on your card, could you read me the numbers from the front of your card to verify...

Target - Dude, we're in line at the conveinience store are you brain damaged?

Theif - Well I just thought I could give this whole social engeneering for credit card information thing a try, but it takes a little too much effort (guy leaves store and waits outside with a bat...)

I think the target's real wallet has worse security than his smart phone...

Social Engineering

viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number

You can encrypt the crap out of all the data you want, and social engineering can still obtain your credit card number. Social engineering is like hacking a person. The only thing you can do to stop that is educate yourself and take precautions. Unencrypted data doesn't help, but it's not what makes social engineering successful.

Google owns the world! lol or will eventually!

Had anyone ever seen the movie "Idiocracy"? It the film, a sports drink company, named "Brondo" (similar to Gatorade) owns the goverment, FAA, FCC, USDA, etc. Google is headed in that same direction.... FYI...

Not really a big deal

[Enmaku]

This is so not a big deal. The last four should already be considered compromised given how often they appear on receipts, both physical and digital. Even with the last four known there's still plenty of entropy in the unknown digits. As long as there aren't any other massive fails on Google's part, you're safe. Also, most retailers store this info unencrypted and it doesn't violate any PCI DSS rules. Source: http://codinginmysleep.com/2011/12/on-the-google-wallet-problem/

hey, it's their business model

[nazsco]

i mean, if it was encrypted, how the hell would they index it for search?!?!