Slashdot Mirror
After Rewrites, Google Wallet Still Has Holes
itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."
If you don't like it, why are you still here? I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site and the commentary is pretty good if you ignore all of the morons like you. The ability to form your own opinion and present it in a non-troll-like manner still seems to be valued here by a decent majority even if it goes against the prevailing bias.
I think it should be noted that the report is behind a paywall.
Please don't feed the trolls, sir.
More like exaggeration site.
I like this place for the discussion - not the news.
To offset political mods, replace Flamebait with Insightful.
You only get pro-Google
At least paste your tripe in an article that's actually pro google nitwit.
You don't even need a secure area on the smart phone. You could put a thumbprint reader on the phone, then generate a hash from the thumbprint, then use that hash to generate a public/private key pair, then encrypt the credit card details with the details with the public key. The phone would never have to store the private key at all. That is just one of many ideas that would help make this secure. Among others: 1. Require a thumbprint *and* a PIN code 2. Have a uber-long password to reset things in case the thumprint or PIN don't work 3. Have a website to blacklist lost or stolen phones, not just some obscure phone number 4. When talking to other NFC equipped terminals, don't send the credit card data. Have the phone sign a "transaction receipt" with your private key. This would prevent replay attacks and no one would ever even have you card number 5. Create a seperate pay-pal like account that users could put limited funds in, so if their phone was stolen, they would only lose the money in that account and in addition, there could be many cool new features: 1. Put NFC readers on laptops, and use the public key idea for online shopping 2. Use your public key for door locks, and throw away your keychain *and* your wallet 3. Keep a list of transaction details on the phone, then sync up to Quickbooks at night This technology could be super cool if they did it correctly, but as usual it seems to be implemented in the most half-assed way possible. Did these guy even contact and independent security firm to audit this before release? Did they hire someone like Bruce Shnier to architect it securely in the first place? Or did they just have a couple of MBAs, junior devs, and a few legal people draw something up on a whiteboard?
Worried about hackers from Eastern Europe, Rodney's dad used to carry around a picture of the kid who came with the wallet.
It's actually just the opposite.
Slashdot publishes google smear stories practically everyday. Including stories with very little credibility, i.e. stories from personal blogs etc.
This is going to be one of those moments where I wonder why I bothered, but...
Yes, Google was investigated for the wifi data collection. The FTC investigated, and determined that nothing had been done intentionally, and Google agreed to improve their privacy policies accordingly. You can read that here, should you choose to actually know what's going on.
Yes, Google required real names on G+, and used it as an 'identity service'. What I fail to understand is how that differs than every website in the cosmos requiring me to log in via Facebook. It sucks, but they all do it.
Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used) to fund development of a free phone OS no one is required to use. People use it because it works. If Microsoft had provided a browser, but not bundled it in, but given it away for free, there would have been no case against them, just like there isn't against Google now. You aren't required to use Android, there are other options, and you aren't handed a free phone when you visit their search page.
Yes, they injected G+ results in their search results. They did NOT however block results from anyone else like Twitter or Facebook from appearing. They were still in the results. Were G+ results returned with higher rankings? I don't know, never turned that on, and never used G+. Because of that, I never got back search results relating to G+ at all, and as far as I know you can still turn that off, so you don't get them either. I can see why Twitter and the others were butt-hurt about this, it cuts directly into THEIR money, but why are you? Don't like it, SWITCH IT OFF. It hardly constitutes evil to allow you to opt out of something.
Yes, Apple surpassed Android in market share at the end of the year, primarily due to them releasing a new phone. If you want reporting on how the front runner changes every 12 seconds, I am sure there are places for that, but I personally don't care to read how a new vendor 'owns' a half a percent higher share of the market every single day. The first time someone passes the front runner its news. The 27th time they change places, it just isn't.
Perhaps you get modded down on posts like these because you engage in name-calling, present a closed-minded position, assume a victimized attitude, lash out with hate, and refuse to present a reasoned, well argued position? Just a thought.
Seconded. The news is available from many sources, and is usually not all that new by the time it hits the /. front page. If one wants breaking news, /. is not the site to use as a primary source. It's the (oft maligned) /. community that is the real attraction here. Just tweak the hidden/abbreviated thresholds to a comfortable setting (2/3 when not moderating, personally) and much of the noise that people complain about is filtered, and what remains is usually of sufficient quality to inform, entertain or enlighten.
Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.
I have used google wallet, and I have used paypal. Paypal is *far* superior.
I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.
Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.
You would think that Google has enough money and perks to hire a few really good IT security experts. Apparently they do not have the corporate culture to do so. Pathetic.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You only get pro-Google
At least paste your tripe in an article that's actually pro google nitwit.
It's funnier this way. It makes it clear that, no matter how good Google is at autonomous vehicle driving, they still have a way to go with chatbots.
To make a autonomous vehicle analogy, it just ran a red light.
Faster! Faster! Faster would be better!
This will get modded down because trolls have taken over the moderation system and openly subvert it.
By your hypothesis, this post will get modded sky-high, moron. If me pointing out that you're stupid does not get modded up, that suggests that there is not a significant pro-google crowd who has hijacked the board. If it does, then I get modded up. I call that a win-win, but you wouldn't understand that because you're not very smart.
PS. Google rules, and you're dumb.
Not interested in paying $1000/yr for a data plan so I can spend my money so easily that I'm less inclined to keep track of it, or so that anybody who can hack my overpriced system can spend my money. Die already. Just. Die.
Someone has to complain in every comments section so it's his duty to stay.
(Modded in this story; not the same AC)
I do not use Google+ and I never even created an account (though I have been invited, which may have stupidly built an account for me), but it still tries to stuff the results into my feed even after I have turned it off; that is definitely bundling. Furthermore, it has been proven that Google+ is being given an enormous advantage over far more relevant services in Google's search results.
I have also never used a website that required Facebook to login. Not one. (That is different from using sites that offer it as a secondary login)
Google has been experimenting with so many things lately. They are fiddling with self-driven cars, trying to get into home entertainment system , cell phone business etc. I have been a big fan of google, but lately I have been issues with a lot of their products. This is mostly maintainence stuff but it annoys me, especially considering that the products were good and easy to use in the beginning such that I switched to using google stuff for a lot of my day to day activities; Gmail has become slower and every now and then does something weird which forces me to close/reopen the tab Chrome memory usage has gone way up in case anyone is noticing. With the approx same number of tabs and plugins/extensions etc , I see all the different chrome processes add up to the same amount as firefox or even more. I could have sworn it was lesser around 6 months back. Google talk connection quality has gone down The gmail app on android has a tonne of bugs with respect to syncing and notifications. They keep fixing some and creating some everytime we have a new release. Currently, my android is not showing me notifications from Gmail app. I see them only from the stock email app. Now, google wallet earlier got pretty bad reviews for security and even this time around their ratings were not good. I wonder if they can put their weight behind only some of the items and make sure they get out a good product and maintain it properly would that be a better thing to do. I know they recently cancelled some projects, but they still have a lot of projects in a lot of myriad areas.
Not cool at all, product fail.
The key thing to keep in mind about the various Google Wallet deficiencies is that they all require the attacker to get your phone and root it... and he still has less information about and/or ability to use your card than if he'd gotten your credit card. That's not to say that the Wallet issues don't need to be addressed, but it does mean that carrying your credit card in your phone is more secure than carrying your credit card in your wallet.
Bottom line: Google Wallet security isn't as good as it could be, but it's still better than plastic.
Oh, I guess there is one way plastic might be more secure... the phone conducts transactions via RF, so there's still the possibility of someone doing a payment transaction with your phone while it's in your pocket, without your knowledge. Google Wallet addresses that risk in three ways. First, NFC is very short range. 1-2 centimeters with off-the-shelf equipment, perhaps 10 cm in the lab. Second, if your screen is turned off, the NFC payment is disabled. Third, if you haven't entered you PIN in the last few minutes (15?), NFC payment is disabled. In addition, all of the normal credit card risk management infrastructure is still in place, as well as the legal limitations on your liability.
Honestly, the biggest problem with Google Wallet isn't security, it's acceptance. Unless you want to eat at McDonald's a lot, it's fairly difficult to find merchants who can accept it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
One of the dumbest multi-account trolls ever on Slashdot throwing a tantrum that pretty much everyone quickly caught on to his flood of pro-Apple/anti-Google sockpuppet accounts.
It hardly constitutes evil to allow you to opt out of something.
While I agree with the majority of your post, I think it is evil to require users to opt out. To me that is the same as saying that microsoft wasn't evil to bundle the browser, you could 'opt-out' by deleting it and installing your own browser, after all.
If only you had a clue what a troll actually was. In the early days, it was well understood. These days, most people, seemingly including you, think it means, "I didn't like what I heard", or, "I don't like how it was delivered, therefore I will censor it." That's one of the biggest problems slashdot has. So while its funny your ignorant and troll post (yes, you actually trolled someone with a legitmate message) was moderated "insightful", it doesn't change the fact that its not. Not at all. Not in the least. Contrary to your assessment, most comments on slashdot these days are factually incorrect, half truth, or complete bullshit whereby others who also don't know any better like moderating things up because it validates themselves do so. Thusly ignorance re-enforcing ignorance in a vanity of self selection. Bluntly, the vast, vast majority of comments on slashdot are a complete waste of time and all too often make everyone who reads them dumber. Worse, far too many times, factually valid answers are moderated down simply because some dumb moderator disagreed; all too often because they are seemignly too ignorant of the subject matter to even know if it should be moderated up or down. Which brings us to moderators. The vast, vast majority of them can't even follow the most basic of instructions on how to moderate. If it were an IQ test they would surely be measured as mentally deficient. Bascially, if the moderators can't even follow simple instructions, why in the hell do you think the readership at large (from which moderators originate) knows anything about anything. Bluntly and factually, most of them don't. Which is why truly worthy, insightful, or informative posts are by far the exception rather than the rule; which stands in stark constract to what is reflected in moderation.
The only thing you are right about is that slashdot is a good aggregation site, which is the only thing wihch keeps me and many others around. And even that, its beginning to fall behind. It used to be that slashdot was easily one the best places to get news fast. These days I semi-commonly seen stories appear one to four days after its already made circles elsewhere.
Add it all together, indeed, slashdot is dead...or more appropriately, dying a slow, painful death, with a large audience who are seemingly so ignorant, they simply don't know any better. Which seems to bring us full circle to the paragraph above. Sorry, but you're wrong on most accounts. To us old timers, hardly a shocking development.
I would hardly call him a troll, he has a point even if he does over dramatize the matter.
You would have to be pretty blind to not notice the huge bias in most of the news summaries.
It's not dead, but it could benefit from some healing.
Troll is not a replacement for I disagree.
Oh for God's sake - this meme is bad as the one that said "Google puts is own financial results above others in its search results!". No. No, it doesn't. What is happening is that space around the actual search results - which, btw, is clearly defined - is used to show other Google products. Furthermore, I'm not sure that Twitter and Facebook have a leg to stand on to claim that they are more relevant than.... well, anything.
The Zdnet story is very simple: Facebook and Twitter want to get a free ride on Google's search engine. That's it. If Facebook and Twitter want to get higher rankings in search engines, they can roll their own. After all, Facebook apparently is worth more than Google anyway, so clearly Facebook has the money for it.
Those who can, do. Those who can't, sue.
Google wallet wasn't even created by google people. It is done by a korean IT company. I interviewed there. I got the drift it would be a 'you work 70 hours a week if you love your job' sort of place. I ran the opposite way. I would say this is more about poor software companies with draconian work conditions producing substandard software than google itself.
They had to change their privacy policies so that there was just one single privacy policy. It was basically a re-wording that used 85% less words to tell you the same thing.
There was nothing to really opt out of, but if it rubs you the wrong way just quit using their services.
Don't know something? Look it up. Still don't know? Then ask.
Microsoft bundles their browser into their OS and it's considered evil. Google bundles their social network with their search....and it's not evil because "They did NOT however block results from anyone else like Twitter or Facebook from appearing."
Microsoft never stopped people from installing IE.
Google is very, very clearly using it's 90% WORLDWIDE search monopoly to elbow into new areas. Your post is pretty much exactly what OP was talking about - people on this site have for YEARS mindlessly attacked Microsoft while also mindlessly knelt before the altar of Google.
Google is currently facing anti-trust issues in numerous countries. If they are found guilty in any of them how to you think Slashdot will HONESTLY react? For years I've seen people here say "MICROSOFT IS A CONVICTED MONOPOLIST! THEY CAN'T BE TRUSTED!". I FULLY expect that should Google be found of anti-trust violations that Slashdot will experience a massive amount of denial and rationalizations. "The regulators are bought by M$!" or "This is bullshit. Google is a good company that is a victim of their own success. They should never have been convicted.".
Slashdot is like an old man. It's set in its ways and it won't let facts get in the way.
It hardly constitutes evil to allow you to opt out of something.
While I agree with the majority of your post, I think it is evil to require users to opt out. To me that is the same as saying that microsoft wasn't evil to bundle the browser, you could 'opt-out' by deleting it and installing your own browser, after all.
All true for the fact that no, you could not delete IE.
Write boring code, not shiny code!
I don't really care about Facebook or Twitter's woes. Google has no obligation to promote others' sites any more than Microsoft should be required to distribute Firefox.
What's really bad about this situation is that Google is hurting users by returning (vastly) less relevant results, even when it is aware of a more relevant answer. When they put strategic tie-ins above relevance, they alienate their audience.
It is, after all: **Google** Wallet.
So it certainly has something to do with Google. If it's a Google product, it's up to Google to make sure it works correctly. No matter who Google contracts with.
Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used)
Can't tell if troll or just that daft at logic.
If Google isn't a monopoly, then neither was Microsoft. There were plenty of alternative operating systems (Apple's OS, Linux, various BSDs, commercial Unixes, BeOS, fuck, I think OS2 was still around at the time Slashdot had its panties in a big knot) and there wasn't exactly a shortage of web browsers, either.
you can't deny Google is forcing their Google+ results where more relevant results should be. or that they dumped android onto the mobile market, forcing webos and Meego out of the market. they offered Google maps API for free, pushing out competitors, and now that they have dominant marketshare they're charging businesses for it.
I couldn't care less about nitpicking about how they store it internally. What is a real problem though, that after I buy something using it (from my PC, mind you), 3rd party programs on my Samsung Galaxy Tab suddenly gain rights to charge me, WITHOUT ASKING my password! (brilliant idea, dear Google) Bum, and you've just purchased non-refundable "5000 Happy Stars" for "Sheeps & Clouds" game for mere 7.99 Euro. How on Earth, after the story with Apple losing the case for remembering password for 15 minutes (!!!), could Google decide that remembering it forever is a good idea, is beyond me.
How was it evil to offer a browser on a computer? If it didn't offer it's own browser how would someone access the internet to grab a different? Or are you saying that a company should go out of it's way (like Microsoft has now) to allow you to install someone elses software by default?
I'm sorry, but that's a joke. It's kinda like the whole real name with G+, don't like it don't use it. Don't want to use your real name, put Dave Jones as your name. w/e it's not like you have to submit a copy of your drivers license to prove who you are. Sure they moved away from the standard of the psuedonym, but that's there choice. It makes you in no way evil to offer someone a new set of functionality.
This honestly reminds me of cyber bullying, don't like what someone is saying to you, close the chat window. Then again, I never really jumped onto the "Microsoft is evil" band waggon except for a few of there truly anti-competitive practices (paying IBM/dell/hp/etc to only use Microsoft on there sold computers). What's funny is they wont that anti-competitive suit but LOST the browser one. What a joke world we live in.
actually Google is doing the same thing with voip, pushing others out of the market by subsidizing free calls to the us and canada with Google talk. now they're using Motorola's frand patents to push apple out of the market, although the EU wont allow them to do it.
Microsoft wasn't anti-competitive because it was forcing people to use IE to go download FF or whatever and it's a joke the european courts ruled that way. Most peoples response to that article were pretty much indifference with a few anti-MS zealots going another way. The MS bashing on /. have dropped tremendously of recent because apple has been taking a huge part of the marketshare.
You want to know what is anti-competitive? Walled off app markets (Apple/MS), paying major manufacturers to use only your software (MS to DELL, HP, IBM) so that you win 90% of the market and don't give your competitors a chance, not allowing people to work/fix/anything with there own computers (apple), locking your phone into one provider (apple), etc etc etc.
I don't recall the last time google made an OS that could only use google search (even chromeOS offers others on setup, android all you have to go and set the homepage), I don't recall Google paying off HTC, Samsung, etc to make only android only phones and not iPhone or Windows Mobile... This BS about Real Names and stuff like that isn't evil. Don't like, don't use it!
WTF Slashdot, why do I have to login 50 times to post?
It's very said when post claiming Google has 60% of the market (in reality they are over 90%) gets modded up as "informative". Friend of mine, working at myvideo.de, complained about Google dumping youtube ads prices. And I'm not buying "we've "unintentionally" captured terrabytes and terrabytes of Wi-Fi traffic", sorry. In other words, they seem to be much less evil than Apple/Microsoft, but they are definitely not saints.
Perhaps the most hilarious thing is H.264. Google dropped H.264 support from Chrome and Android because they're afraid of patent trolls. To date, the only H.264 patent troll is ... Motorola. So Motorola will stop patent trolling after the acquisition is complete? Not according to Google's lawyers.
Do you even lift?
These aren't the 'roids you're looking for.
about security. All they care about is making $$$ and getting as much private information (about the user) that they can use to make more $$$.
... it does have holes: money needs to breathe you insensitive clod. No one wants dead bucks in his pocket.
what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
Uhm... Android was *NOT* surpassed in marketshare. STOP SPREADING THE MISINFORMATION.
Android was surpassed in marketshare GAINED last quarter. Android still gained "a few percent" marketshare (upwards of 50%) while big red gained "a few percent" + a bit more. This does NOT mean Android was overtaken in marketshare. It still has a 50%+ smartphone marketshare compared to any other platforms (30%)
i.e. (numbers pulled out of my ass for illustrative purposes)
Android went from 50% to 54% marketshare (4% gain)
Big Red went from 24 to 29% marketshare (5% gain)
Let's run an experiment then to see how comparable they are. For the next 10 weeks, I'll use a different search engine each week (no cheating). You'll install and use a different OS each week and use only it for all of your work/home tasks. After we demonstrate how comparable that is, we'll be able to show how the effective leverage available for market domination is clearly compatible... or not.
60 versus 90 may not seem all that different, but what the regulators are looking at is 40 versus 10 (the viability of the competition). Anti-trade isn't there to protect companies, but to ensure that competition is possible and the market situation doesn't hurt the user. Considering that search services are free (as in beer) and the switching cost is nearly zero, it is hard to argue consumer harm. Considering that in the US the 60% competitor has a 30% competitor, it's hard to argue that competition isn't possible. If Bing gave better results, even more people would use it.
It isn't "said" at all, when the actual figure is 66%, and I claimed 60 some percent, is it? I also imagine the FTC would have gained much from your insights, and how you 'aren't buying' the accidental thing. I am sure they could have used you during the investigation. I am sure you could explain to them how it was unbelievable that a device designed to record all kinds of telemetry data might accidentally save too much.
Your anecdote about a friend being upset about youtube ad prices was very informative though. I'm just not sure what it was informing us of.
I in no way claimed Google were saints. In fact, Google is an amoral, greedy corporation driven by desire for money. Which makes them exactly the same as any other corporation. I just don't see why they are being vilified for things they aren't doing, or are completely upfront about.