Google Wallet Stores Card Data In Plain Text
nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."
"Stores Card Data In Plain Text"
isn't quite the same thing as
"suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"
viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.
Correct me if I'm wrong, but isn't social engineering the art of tricking people into giving information or access they wouldn't normally? If the security is breached through human gullibility I don't see what method of storing the data is going to protect against that, unless it's storing it where nobody but PCs have access to it and no humans have access to said PC's.
I can socially engineer the card holder to give me their card info and you can't encrypt against that.
From TFA:
While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database.
The same last 4 digits that are printed on your credit card receipts and show up as plain text on many web sites that store credit cards.
Doesn't seem like a big deal - people should know better than to give their card number to someone that has the last 4 digits of their card number since they could have gotten them anywhere. (or just guessed - send a spam email to 10 million people with a randomly generated 4 digit number, and you'll have guessed right for 1000 of those people.)
And so what? Your phone must be able to decode the stored data, so it must somehow acquire decryption key.
That means that this decryption key must be transmitted over the network or stored on the device itself. And if it's stored on the device, then the whole encryption scheme is nothing more than complex obfuscation.