Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Wallet Stores Card Data In Plain Text

Posted by samzenpus on from the read-it-and-weep dept.

nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."

12 of 213 comments (clear)

  1. NFC by anchovy_chekov · · Score: 5, Funny

    No Fucking Clue?

  2. Stupid headline by Ultra64 · · Score: 5, Insightful

    "Stores Card Data In Plain Text"

    isn't quite the same thing as

    "suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"

    1. Re:Stupid headline by Anonymous Coward · · Score: 5, Informative

      Neither statement is completely clear, but as I see it Google Wallet is storing (some) data about the card in plain text, which may be enough for anyone that discovers it to obtain further details about that person and their card from the financial institution via social engineering.

      To me this means if you lose your phone, it may have enough information on it to enable the finder to then get your credit card details through social engineering.

    2. Re:Stupid headline by stephanruby · · Score: 5, Informative

      Also it cites the PCI standard, but that applies only to a full credit card number that has been transmitted already.

      In this case, it only keeps the 4 digits of the card number and the expiration date in plain text on your own phone. It's not bad compared to a regular wallet that will keep the full credit card number, the expiration date, the full name, and the verification code as well, all written in plain text on some flat piece of plastic.

  3. No kidding. by SeaFox · · Score: 5, Insightful

    viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.

    Correct me if I'm wrong, but isn't social engineering the art of tricking people into giving information or access they wouldn't normally? If the security is breached through human gullibility I don't see what method of storing the data is going to protect against that, unless it's storing it where nobody but PCs have access to it and no humans have access to said PC's.

    I can socially engineer the card holder to give me their card info and you can't encrypt against that.

    1. Re:No kidding. by caladine · · Score: 5, Insightful

      I think the point was that it makes it easier to pull off the "social engineering" if you have access to information only privileged parties should have. They should still be encrypting the locally stored data, and it's just lazy not to.

    2. Re:No kidding. by JWSmythe · · Score: 5, Funny

      Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up

          That'd be a really cool trick.

      --
      Serious? Seriousness is well above my pay grade.
  4. Nothing to see here, move along... by Anonymous Coward · · Score: 5, Informative

    It stores the last 4 digits of the credit card, so you know which card was used in your google wallet. My telephone company does this, as does paypal if I remember correctly. Whilst it may not be stored easily in plain view of anyone, I think someone breaking into either of those accounts would be more likely than someone first stealing my phone, rooting it then access the sqlite DB.

    To be honest, I am more afraid of my local 7/11 employee who swipes my credit card every day in plain view when I buy milk, newspaper and mamma noodles. I think even some POS systems display the card number on their terminal screen!

    These days, I think most credit cards have secondary verification systems in place so even if someone did get my card number, it would be very difficult to use. I already have a hard enough time booking airline tickets online and trying to remember what my Verified by Visa password is. Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.

  5. Social Engineering by asdbffg · · Score: 5, Funny

    Caller: Hi, I'm calling from... er... Google... and it says here in this text file that you have a credit card number on file with us. Is that right?

    Victim: Yes, that's right.

    Caller: Cool. Would you mind giving me that account number so I can verify your identity?

    Victim: Let me get my card...

  6. It's the last 4 digits by hawguy · · Score: 5, Insightful

    From TFA:

    While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database.

    The same last 4 digits that are printed on your credit card receipts and show up as plain text on many web sites that store credit cards.

    Doesn't seem like a big deal - people should know better than to give their card number to someone that has the last 4 digits of their card number since they could have gotten them anywhere. (or just guessed - send a spam email to 10 million people with a randomly generated 4 digit number, and you'll have guessed right for 1000 of those people.)

  7. And so? by Cyberax · · Score: 5, Insightful

    And so what? Your phone must be able to decode the stored data, so it must somehow acquire decryption key.

    That means that this decryption key must be transmitted over the network or stored on the device itself. And if it's stored on the device, then the whole encryption scheme is nothing more than complex obfuscation.

  8. I'm not defending Google but... by JohnnyMindcrime · · Score: 5, Informative

    ...I do work in security for a telecoms product manufacturer and maintainer and there are a HUGE number of companies out there that store credit card data in plain text.

    However, you cannot just look at that one particular issue to make a determination as to whether or not the data is secure - it's also about how the system on which that data is stored is isolated from the real world, what firewalling and access controls are in place to restrict who can get to that data, whether or not they update the systems regularly, etc. etc.

    This is NOT a security exploit, there's no report of any security hole that makes that data available to the rest of the world, unlike what happened to Sony - so some prespective needs to be put on this.

    Any wise company conducts regular Risk Assessments on their infrastructure to determine what potential security risks exists, how big those risks are and how much it will cost to fix it. In this particular case, it might be that using encrypted credit card information might entail having to upgrade very expensive applications to a later version, all of which will factor into the cost of fixing the issue. If Google has determined that the risk of an outside party getting to that data is extremely low, then they may not consider it worth the expense of the upgrade.

    Every company will do this, even Apple and Microsoft, and many of them do choose to adopt PCI (Payment Card Industry) guidelines on storing this kind of data correctly.

    It could be argued that someone stealing a file of encrypted credit card data from a company is a much bigger issue than someone (so far) not being able to steal unencrypted data from a company - so it's always wise to put some perspective around these kinds of statements.

    --
    Windows 10 is great - I used it to download Linux.