Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Rewrites, Google Wallet Still Has Holes

Posted by samzenpus on from the leaking-like-a-sieve dept.

itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."

82 comments

  1. yay by Anonymous Coward · · Score: -1

    yay

  2. Slashdot is dead by Anonymous Coward · · Score: -1, Troll

    Infiltrated by Google employees and well-wishers, Slashdot consistently offers justifications for every bad behavior and terrible decision coming from Google. Just look at the privacy changes article in which fanboys banded together to make sure Google was perceived as the good guy and that anyone critical of them was modbombed.

    Just to recap, Google is a multibillion dollar advertising megacorporation that was caught by the German government sniffing people's wifi data (they "accidentally" did it for three years before admitting it only when authorities threatened an investigation), forced people to use real names on Google+ and admitted it was an identity service and not a social network, stuffed Google+ results into the search engine without any competing social networks even though they have those networks indexed by the search engine (hello, Microsoft tactics), said that the only people who care about privacy "have something to hide," hacked into Mocality to call its customers, removed H.264 support in Chrome out of "openness" only to turn around and ship the closed-source Flash plugin, withheld Android source from the public but shared it with privileged hardware partners so they could have a leg up, abused their Android compatibility program to make things difficult for smartphone makers who chose Bing over Google, and on and on and on.

    With all this crap they pull that would get them completely trashed if they were Microsoft or any other company, there's one reason and one reason only that they have been propped up as the good guy on Slashdot all these years--Linux. They use Linux. Slashdot is a Linux advocacy site, and so because Google uses Linux, they are good guys and get a pass for everything. That's all it takes to get Slashdot to love you. Just use Linux.

    Hypocrites. When Microsoft used their Windows monopoly revenues to fund development of Internet Explorer and release it for free to try to dominate the web market, everyone here cried "antitrust!" But when Google uses its web search monopoly revenues to fund development of Android and release it for free to try to dominate smartphones, everyone defends it. For anyone who was on Slashdot during those times, to see Google doing all the very same things Microsoft did but get a completely different reaction is surreal.

    Slashdot is a bubble. You only get pro-Google, pro-Linux news. Major news occurring elsewhere is often days late, if it gets reported at all. The Google+ search results fiasco is huge all over the tech sites right now, but there's nothing about it here, as if it doesn't even exist as a controversy. And did you know iOS surpassed Android in marketshare by the end of 2011 according to three research firms? With how obsessed Slashdot is over marketshare, and how they constantly trumpeted Android's marketshare all the time as a victory last year, you'd think it would be big news. But, no. This is pro-Google territory, pro-Linux territory. Gotta keep the natives happy for more page views.

    This will get modded down because trolls have taken over the moderation system and openly subvert it. That's fine. It just proves my point about how Slashdot reacts to anything outside the partyline. This site's news reporting is old, antiquated, and slow, but the news isn't even why people come here anymore. The part of the community still remaining (after its years-long exodus to Reddit, Hacker News, and other sites, which is why traffic has decreased so dramatically on most Slashdot stories today) only comes here to pat themselves on the back for thinking a certain way. "Yeah, Microsoft is still evil! Yeah, Google is still the good guy! Yeah, Apple is still for chumps!" It's the year 2000 forever on Slashdot.

    1. Re:Slashdot is dead by SJHillman · · Score: 4, Insightful

      If you don't like it, why are you still here? I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site and the commentary is pretty good if you ignore all of the morons like you. The ability to form your own opinion and present it in a non-troll-like manner still seems to be valued here by a decent majority even if it goes against the prevailing bias.

    2. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      Please don't feed the trolls, sir.

    3. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site

      More like exaggeration site.

    4. Re:Slashdot is dead by masternerdguy · · Score: 3, Insightful

      I like this place for the discussion - not the news.

      --
      To offset political mods, replace Flamebait with Insightful.
    5. Re:Slashdot is dead by Anonymous Coward · · Score: 4, Insightful

      You only get pro-Google

      At least paste your tripe in an article that's actually pro google nitwit.

    6. Re:Slashdot is dead by madmark1 · · Score: 5, Informative

      This is going to be one of those moments where I wonder why I bothered, but...

      Yes, Google was investigated for the wifi data collection. The FTC investigated, and determined that nothing had been done intentionally, and Google agreed to improve their privacy policies accordingly. You can read that here, should you choose to actually know what's going on.

      Yes, Google required real names on G+, and used it as an 'identity service'. What I fail to understand is how that differs than every website in the cosmos requiring me to log in via Facebook. It sucks, but they all do it.

      Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used) to fund development of a free phone OS no one is required to use. People use it because it works. If Microsoft had provided a browser, but not bundled it in, but given it away for free, there would have been no case against them, just like there isn't against Google now. You aren't required to use Android, there are other options, and you aren't handed a free phone when you visit their search page.

      Yes, they injected G+ results in their search results. They did NOT however block results from anyone else like Twitter or Facebook from appearing. They were still in the results. Were G+ results returned with higher rankings? I don't know, never turned that on, and never used G+. Because of that, I never got back search results relating to G+ at all, and as far as I know you can still turn that off, so you don't get them either. I can see why Twitter and the others were butt-hurt about this, it cuts directly into THEIR money, but why are you? Don't like it, SWITCH IT OFF. It hardly constitutes evil to allow you to opt out of something.

      Yes, Apple surpassed Android in market share at the end of the year, primarily due to them releasing a new phone. If you want reporting on how the front runner changes every 12 seconds, I am sure there are places for that, but I personally don't care to read how a new vendor 'owns' a half a percent higher share of the market every single day. The first time someone passes the front runner its news. The 27th time they change places, it just isn't.

      Perhaps you get modded down on posts like these because you engage in name-calling, present a closed-minded position, assume a victimized attitude, lash out with hate, and refuse to present a reasoned, well argued position? Just a thought.

    7. Re:Slashdot is dead by c0d3g33k · · Score: 1, Offtopic

      Seconded. The news is available from many sources, and is usually not all that new by the time it hits the /. front page. If one wants breaking news, /. is not the site to use as a primary source. It's the (oft maligned) /. community that is the real attraction here. Just tweak the hidden/abbreviated thresholds to a comfortable setting (2/3 when not moderating, personally) and much of the noise that people complain about is filtered, and what remains is usually of sufficient quality to inform, entertain or enlighten.

    8. Re:Slashdot is dead by ColdWetDog · · Score: 0, Offtopic

      You only get pro-Google

      At least paste your tripe in an article that's actually pro google nitwit.

      It's funnier this way. It makes it clear that, no matter how good Google is at autonomous vehicle driving, they still have a way to go with chatbots.

      To make a autonomous vehicle analogy, it just ran a red light.

      --
      Faster! Faster! Faster would be better!
    9. Re:Slashdot is dead by interkin3tic · · Score: 0

      This will get modded down because trolls have taken over the moderation system and openly subvert it.

      By your hypothesis, this post will get modded sky-high, moron. If me pointing out that you're stupid does not get modded up, that suggests that there is not a significant pro-google crowd who has hijacked the board. If it does, then I get modded up. I call that a win-win, but you wouldn't understand that because you're not very smart.

      PS. Google rules, and you're dumb.

    10. Re:Slashdot is dead by thetoadwarrior · · Score: 1, Funny

      Someone has to complain in every comments section so it's his duty to stay.

    11. Re:Slashdot is dead by Anonymous Coward · · Score: 1

      Yes, they injected G+ results in their search results. They did NOT however block results from anyone else like Twitter or Facebook from appearing. They were still in the results. Were G+ results returned with higher rankings? I don't know, never turned that on, and never used G+. Because of that, I never got back search results relating to G+ at all, and as far as I know you can still turn that off, so you don't get them either. I can see why Twitter and the others were butt-hurt about this, it cuts directly into THEIR money, but why are you? Don't like it, SWITCH IT OFF. It hardly constitutes evil to allow you to opt out of something.

      (Modded in this story; not the same AC)

      I do not use Google+ and I never even created an account (though I have been invited, which may have stupidly built an account for me), but it still tries to stuff the results into my feed even after I have turned it off; that is definitely bundling. Furthermore, it has been proven that Google+ is being given an enormous advantage over far more relevant services in Google's search results.

      I have also never used a website that required Facebook to login. Not one. (That is different from using sites that offer it as a secondary login)

    12. Re:Slashdot is dead by inputdev · · Score: 1

      It hardly constitutes evil to allow you to opt out of something.

      While I agree with the majority of your post, I think it is evil to require users to opt out. To me that is the same as saying that microsoft wasn't evil to bundle the browser, you could 'opt-out' by deleting it and installing your own browser, after all.

    13. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      If only you had a clue what a troll actually was. In the early days, it was well understood. These days, most people, seemingly including you, think it means, "I didn't like what I heard", or, "I don't like how it was delivered, therefore I will censor it." That's one of the biggest problems slashdot has. So while its funny your ignorant and troll post (yes, you actually trolled someone with a legitmate message) was moderated "insightful", it doesn't change the fact that its not. Not at all. Not in the least. Contrary to your assessment, most comments on slashdot these days are factually incorrect, half truth, or complete bullshit whereby others who also don't know any better like moderating things up because it validates themselves do so. Thusly ignorance re-enforcing ignorance in a vanity of self selection. Bluntly, the vast, vast majority of comments on slashdot are a complete waste of time and all too often make everyone who reads them dumber. Worse, far too many times, factually valid answers are moderated down simply because some dumb moderator disagreed; all too often because they are seemignly too ignorant of the subject matter to even know if it should be moderated up or down. Which brings us to moderators. The vast, vast majority of them can't even follow the most basic of instructions on how to moderate. If it were an IQ test they would surely be measured as mentally deficient. Bascially, if the moderators can't even follow simple instructions, why in the hell do you think the readership at large (from which moderators originate) knows anything about anything. Bluntly and factually, most of them don't. Which is why truly worthy, insightful, or informative posts are by far the exception rather than the rule; which stands in stark constract to what is reflected in moderation.

      The only thing you are right about is that slashdot is a good aggregation site, which is the only thing wihch keeps me and many others around. And even that, its beginning to fall behind. It used to be that slashdot was easily one the best places to get news fast. These days I semi-commonly seen stories appear one to four days after its already made circles elsewhere.

      Add it all together, indeed, slashdot is dead...or more appropriately, dying a slow, painful death, with a large audience who are seemingly so ignorant, they simply don't know any better. Which seems to bring us full circle to the paragraph above. Sorry, but you're wrong on most accounts. To us old timers, hardly a shocking development.

    14. Re:Slashdot is dead by Anonymous Coward · · Score: -1

      It is every mod's duty to clearly and consistently mod down not just the troll posts but also the troll feeders. Use "offtopic" if the post is interesting and not evil, "redundant" it it's restating a boring argument and "troll" otherwise. As their karma gets killed regular posters will gradually learn. Others will never go above +1 and so these threads will never be seen by anyone except the mods.

      (and no, don't mod this up; those who need to read it; the mods that read low valued posts; will see it anyway).

    15. Re:Slashdot is dead by wisnoskij · · Score: 1

      I would hardly call him a troll, he has a point even if he does over dramatize the matter.
      You would have to be pretty blind to not notice the huge bias in most of the news summaries.
      It's not dead, but it could benefit from some healing.

      --
      Troll is not a replacement for I disagree.
    16. Re:Slashdot is dead by NeutronCowboy · · Score: 1

      Oh for God's sake - this meme is bad as the one that said "Google puts is own financial results above others in its search results!". No. No, it doesn't. What is happening is that space around the actual search results - which, btw, is clearly defined - is used to show other Google products. Furthermore, I'm not sure that Twitter and Facebook have a leg to stand on to claim that they are more relevant than.... well, anything.

      The Zdnet story is very simple: Facebook and Twitter want to get a free ride on Google's search engine. That's it. If Facebook and Twitter want to get higher rankings in search engines, they can roll their own. After all, Facebook apparently is worth more than Google anyway, so clearly Facebook has the money for it.

      --
      Those who can, do. Those who can't, sue.
    17. Re:Slashdot is dead by Jeng · · Score: 1

      They had to change their privacy policies so that there was just one single privacy policy. It was basically a re-wording that used 85% less words to tell you the same thing.

      There was nothing to really opt out of, but if it rubs you the wrong way just quit using their services.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    18. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      Microsoft bundles their browser into their OS and it's considered evil. Google bundles their social network with their search....and it's not evil because "They did NOT however block results from anyone else like Twitter or Facebook from appearing."

      Microsoft never stopped people from installing IE.

      Google is very, very clearly using it's 90% WORLDWIDE search monopoly to elbow into new areas. Your post is pretty much exactly what OP was talking about - people on this site have for YEARS mindlessly attacked Microsoft while also mindlessly knelt before the altar of Google.

      Google is currently facing anti-trust issues in numerous countries. If they are found guilty in any of them how to you think Slashdot will HONESTLY react? For years I've seen people here say "MICROSOFT IS A CONVICTED MONOPOLIST! THEY CAN'T BE TRUSTED!". I FULLY expect that should Google be found of anti-trust violations that Slashdot will experience a massive amount of denial and rationalizations. "The regulators are bought by M$!" or "This is bullshit. Google is a good company that is a victim of their own success. They should never have been convicted.".

      Slashdot is like an old man. It's set in its ways and it won't let facts get in the way.

    19. Re:Slashdot is dead by Pieroxy · · Score: 1

      It hardly constitutes evil to allow you to opt out of something.

      While I agree with the majority of your post, I think it is evil to require users to opt out. To me that is the same as saying that microsoft wasn't evil to bundle the browser, you could 'opt-out' by deleting it and installing your own browser, after all.

      All true for the fact that no, you could not delete IE.

      --
      Write boring code, not shiny code!
    20. Re:Slashdot is dead by Anonymous Coward · · Score: 1

      I don't really care about Facebook or Twitter's woes. Google has no obligation to promote others' sites any more than Microsoft should be required to distribute Firefox.

      What's really bad about this situation is that Google is hurting users by returning (vastly) less relevant results, even when it is aware of a more relevant answer. When they put strategic tie-ins above relevance, they alienate their audience.

    21. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used)

      Can't tell if troll or just that daft at logic.

      If Google isn't a monopoly, then neither was Microsoft. There were plenty of alternative operating systems (Apple's OS, Linux, various BSDs, commercial Unixes, BeOS, fuck, I think OS2 was still around at the time Slashdot had its panties in a big knot) and there wasn't exactly a shortage of web browsers, either.

    22. Re:Slashdot is dead by sonicmerlin · · Score: 1

      you can't deny Google is forcing their Google+ results where more relevant results should be. or that they dumped android onto the mobile market, forcing webos and Meego out of the market. they offered Google maps API for free, pushing out competitors, and now that they have dominant marketshare they're charging businesses for it.

    23. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      How was it evil to offer a browser on a computer? If it didn't offer it's own browser how would someone access the internet to grab a different? Or are you saying that a company should go out of it's way (like Microsoft has now) to allow you to install someone elses software by default?

      I'm sorry, but that's a joke. It's kinda like the whole real name with G+, don't like it don't use it. Don't want to use your real name, put Dave Jones as your name. w/e it's not like you have to submit a copy of your drivers license to prove who you are. Sure they moved away from the standard of the psuedonym, but that's there choice. It makes you in no way evil to offer someone a new set of functionality.

      This honestly reminds me of cyber bullying, don't like what someone is saying to you, close the chat window. Then again, I never really jumped onto the "Microsoft is evil" band waggon except for a few of there truly anti-competitive practices (paying IBM/dell/hp/etc to only use Microsoft on there sold computers). What's funny is they wont that anti-competitive suit but LOST the browser one. What a joke world we live in.

    24. Re:Slashdot is dead by sonicmerlin · · Score: 1

      actually Google is doing the same thing with voip, pushing others out of the market by subsidizing free calls to the us and canada with Google talk. now they're using Motorola's frand patents to push apple out of the market, although the EU wont allow them to do it.

    25. Re:Slashdot is dead by Rasperin · · Score: 2

      Microsoft wasn't anti-competitive because it was forcing people to use IE to go download FF or whatever and it's a joke the european courts ruled that way. Most peoples response to that article were pretty much indifference with a few anti-MS zealots going another way. The MS bashing on /. have dropped tremendously of recent because apple has been taking a huge part of the marketshare.

      You want to know what is anti-competitive? Walled off app markets (Apple/MS), paying major manufacturers to use only your software (MS to DELL, HP, IBM) so that you win 90% of the market and don't give your competitors a chance, not allowing people to work/fix/anything with there own computers (apple), locking your phone into one provider (apple), etc etc etc.

      I don't recall the last time google made an OS that could only use google search (even chromeOS offers others on setup, android all you have to go and set the homepage), I don't recall Google paying off HTC, Samsung, etc to make only android only phones and not iPhone or Windows Mobile... This BS about Real Names and stuff like that isn't evil. Don't like, don't use it!

      --
      WTF Slashdot, why do I have to login 50 times to post?
    26. Re:Slashdot is dead by Kartu · · Score: 1

      It's very said when post claiming Google has 60% of the market (in reality they are over 90%) gets modded up as "informative". Friend of mine, working at myvideo.de, complained about Google dumping youtube ads prices. And I'm not buying "we've "unintentionally" captured terrabytes and terrabytes of Wi-Fi traffic", sorry. In other words, they seem to be much less evil than Apple/Microsoft, but they are definitely not saints.

    27. Re:Slashdot is dead by larry+bagina · · Score: 1

      Perhaps the most hilarious thing is H.264. Google dropped H.264 support from Chrome and Android because they're afraid of patent trolls. To date, the only H.264 patent troll is ... Motorola. So Motorola will stop patent trolling after the acquisition is complete? Not according to Google's lawyers.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    28. Re:Slashdot is dead by similar_name · · Score: 1

      what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

    29. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      Uhm... Android was *NOT* surpassed in marketshare. STOP SPREADING THE MISINFORMATION.

      Android was surpassed in marketshare GAINED last quarter. Android still gained "a few percent" marketshare (upwards of 50%) while big red gained "a few percent" + a bit more. This does NOT mean Android was overtaken in marketshare. It still has a 50%+ smartphone marketshare compared to any other platforms (30%)

      i.e. (numbers pulled out of my ass for illustrative purposes)
      Android went from 50% to 54% marketshare (4% gain)
      Big Red went from 24 to 29% marketshare (5% gain)

    30. Re:Slashdot is dead by Anonymous Coward · · Score: 0

      Let's run an experiment then to see how comparable they are. For the next 10 weeks, I'll use a different search engine each week (no cheating). You'll install and use a different OS each week and use only it for all of your work/home tasks. After we demonstrate how comparable that is, we'll be able to show how the effective leverage available for market domination is clearly compatible... or not.

      60 versus 90 may not seem all that different, but what the regulators are looking at is 40 versus 10 (the viability of the competition). Anti-trade isn't there to protect companies, but to ensure that competition is possible and the market situation doesn't hurt the user. Considering that search services are free (as in beer) and the switching cost is nearly zero, it is hard to argue consumer harm. Considering that in the US the 60% competitor has a 30% competitor, it's hard to argue that competition isn't possible. If Bing gave better results, even more people would use it.

    31. Re:Slashdot is dead by madmark1 · · Score: 1

      It isn't "said" at all, when the actual figure is 66%, and I claimed 60 some percent, is it? I also imagine the FTC would have gained much from your insights, and how you 'aren't buying' the accidental thing. I am sure they could have used you during the investigation. I am sure you could explain to them how it was unbelievable that a device designed to record all kinds of telemetry data might accidentally save too much.

      Your anecdote about a friend being upset about youtube ad prices was very informative though. I'm just not sure what it was informing us of.

      I in no way claimed Google were saints. In fact, Google is an amoral, greedy corporation driven by desire for money. Which makes them exactly the same as any other corporation. I just don't see why they are being vilified for things they aren't doing, or are completely upfront about.

  3. frost post by Anonymous Coward · · Score: -1

    Front switzerland...

  4. Google Wallet is faget wallet by Anonymous Coward · · Score: -1

    Only faget use Google Wallet. Its like a faget pink wallet with rainbow faget sticker on it. Real man use leather wallet with chain, not some faget online Google faget wallet.

  5. Paywall? by Anonymous Coward · · Score: 3, Informative

    I think it should be noted that the report is behind a paywall.

    1. Re:Paywall? by Anonymous Coward · · Score: 0

      Does the paywall accept google wallet?

  6. google is great by Anonymous Coward · · Score: -1

    http://www.14sb.com/

  7. Could have been done right... by VoodooTrucker · · Score: 2, Insightful

    You don't even need a secure area on the smart phone. You could put a thumbprint reader on the phone, then generate a hash from the thumbprint, then use that hash to generate a public/private key pair, then encrypt the credit card details with the details with the public key. The phone would never have to store the private key at all. That is just one of many ideas that would help make this secure. Among others: 1. Require a thumbprint *and* a PIN code 2. Have a uber-long password to reset things in case the thumprint or PIN don't work 3. Have a website to blacklist lost or stolen phones, not just some obscure phone number 4. When talking to other NFC equipped terminals, don't send the credit card data. Have the phone sign a "transaction receipt" with your private key. This would prevent replay attacks and no one would ever even have you card number 5. Create a seperate pay-pal like account that users could put limited funds in, so if their phone was stolen, they would only lose the money in that account and in addition, there could be many cool new features: 1. Put NFC readers on laptops, and use the public key idea for online shopping 2. Use your public key for door locks, and throw away your keychain *and* your wallet 3. Keep a list of transaction details on the phone, then sync up to Quickbooks at night This technology could be super cool if they did it correctly, but as usual it seems to be implemented in the most half-assed way possible. Did these guy even contact and independent security firm to audit this before release? Did they hire someone like Bruce Shnier to architect it securely in the first place? Or did they just have a couple of MBAs, junior devs, and a few legal people draw something up on a whiteboard?

    1. Re:Could have been done right... by dgatwood · · Score: 2

      Do you know how easy it is to lift a thumb print? Or how unlikely it is that you would generate the same key from that print reproducibly? Biometrics are less than useless for security purposes because they cannot readily be changed, but can be readily stolen.

      The only hardware feature that actually increases security usefully is the use of devices like CryptoCard/SecurID tokens—non-networked devices that produce a different (but predictable) number each time. Unfortunately, it only helps if the bad guys don't know to steal it.

      Once the bad guys know to steal it, the only thing standing between them and your money is the account name and a (usually four-digit) pin. They can usually guess the account name; worse, if they have access to your phone, they can probably scrape the account name out of memory. This leaves four digits as the sum total of your security.

      This is why large transactions should always be verified with a call to your home phone, and funds should not be transferred until someone gets home and calls the number to verify it, providing the passcode that they leave on your answering machine. And even then, it's probably not all that secure if there is any way to get your home phone number from any card stripe in your billfold.

      This is also why credit card companies put the onus of identity verification on the merchant. Unfortunately, for online transactions, fraud is inevitable, which is why some merchants will only ship to the billing address, require a phone call to the billing phone number prior to shipping, etc.

      Security is hard. Real security is harder.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Could have been done right... by AJH16 · · Score: 1

      Um, I don't think things work the way you think they do. With respect, you do not understand what you are talking about and are in significantly over your head. Thumb prints don't give a definitive hash, it's more like a quasi-match that looks close enough. Every scan of your finger print looks different and has to be analyzed so you couldn't reproduce the same hash later. Even if it could make a uniform cache, using asymmetric crypto in this case makes no sense at all. Asymmetric is inherently and substantially weaker than symmetric cryptography which is the only thing you should trust for long term storage on a device like a phone where communication of the key is not necessary. Your third point doesn't seem to do any good at all as the service could easily be spoofed or ignored. Your forth point is wrong as it is already protected over the air. You have to communicate the payment mechanism (the card) somehow. You encrypt it via a one time challenge/response generated by both the terminal and the client. This is how it ALREADY works! On your fifth point, again, this is how it already works. Google wallet uses a Google Cash card which is a prepaid card that you add funds to.

      As for your additional ideas, 1) why use your phone to make a purchase online when the TPM in the laptop could do it directly without the need to do any additional work with the phone? 2) Already doable via either NFC, Bluetooth or WiFi, granted, the private key still has to be stored on the device if you wish to do it certificate based and symmetric would still be more secure. 3)This is already possible and is one of the things that the article actually faulted google for. I'm not sure if it will work directly with quick books, but a detailed transaction log is available.

      In short, most of your "great ideas" are either bad ideas or already implemented (and the exact things the article is complaining about) while most of the "problems" and "solutions" you provide are full of holes and/or simply don't work.

      The fact is this article itself is bullshit. They store critical information securely on the device and tie it to a trusted platform module. The company is just bitching that in their opinion, they think that some of the data google doesn't bother storing in secure storage shouldn't be left outside. Some of the information I suppose I could arguably agree on (like saying that balances might be available), but much of it is total bullshit. For example, they complain that they could access someone's name and e-mail address... really??? No kidding, it's a phone... I'm pretty sure I could find that on anyone's phone under contacts.

      --
      AJ Henderson
    3. Re:Could have been done right... by AJH16 · · Score: 1

      Oh, and if what you are thinking with asymmetric crypto is to do a bitcoin like thing where the merchant would have to hand the receipt to be digitally signed and then send it in to the merchant bank, they would still need to know which bank to send it to and which account it is associated with. The account information would still have to be transmitted in the encrypted communication, the signing would simply help ensure that a vendor doesn't try to charge things that they are not authorized to charge. That is an interesting idea, but you would still use symmetric cryptography to exchange the information.

      --
      AJ Henderson
    4. Re:Could have been done right... by AJH16 · · Score: 1

      It's more accurate to say real security is impossible. If someone really wants to get at you, they will. Security is all about making it easier to get the next guy so it isn't worth the effort.

      --
      AJ Henderson
    5. Re:Could have been done right... by dgatwood · · Score: 1

      And any security measure, once deployed broadly enough, becomes very nearly useless at achieving that goal. Indeed, the only reason passwords aren't basically useless is that users can choose arbitrarily long passwords, up to the limit of their memory, which means that they aren't deployed evenly....

      When additional security is deployed broadly and evenly, the only thing it really does is raise the minimum level of knowledge required to break the system. Depending on the level of cooperation among thieves, this may or may not decrease the number of potential attackers. Thus, such additions quickly yield diminishing returns. And to date, no security system has proven very resistant to the wrench attack with the exception of possibly dividing the key among multiple people, and even then, this is only resistant given a limited number of wrenches/wielders and a large number of uncaring keyholders.

      About the best we can do is to avoid the sorts of fraud that occur because of snooping. Require encryption for online stores (we pretty much do that anyway) and require proper encryption between things like ATMs and the banks that service them (I remember reading that this is not always the case). Ultimately, if your endpoint is cracked, you're screwed no matter what, for the same reason that DRM is impossible. The only way to reduce that significantly is to make a physically secure endpoint do more work (e.g. an RFID card that signs a message and returns the signature).

      Even that sort of scheme, however, can be compromised if you compromise the reader and pre-prepare someone else's transaction to run against the card at the same time in the background. So in effect, if your phone, the ATM, or the card reader at the grocery store is compromised, you're thoroughly screwed. There's just no way to fix that (or even significantly improve upon it), so why bother trying? You would do far better to spend your time improving the physical security and tamper resistance of the phone, the ATM, and the card reader at the grocery instead.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    6. Re:Could have been done right... by nahdude812 · · Score: 1

      then generate a hash from the thumbprint

      Consistent hashes require consistent input, and fingerprints are not that. Fingerprint readers are designed with an error tolerance because fingerprint scans are inconsistent. They can't be used to secure data, only to instruct software it's ok to grant access to something the software has the capacity to access anyway.

      --
      Slay a dragon... over lunch!
    7. Re:Could have been done right... by tlhIngan · · Score: 1

      Do you know how easy it is to lift a thumb print?

      On the old 2D sensors, maybe. But modern fingerprint sensors are 1D - they contain a sensor that scans as the user swipes the finger over the sensor. It makes it much harder to lift a fingerprint from (the fingerprint is wiped as it's read), as well as making the sensor MUCH smaller - something that can fit on a smartphone without consuming too much space.

      Modern fingerprint sensors you find on computers are already the swipe kind. You'd have better luck lifting a print from the screen or other surface of the phone than the sensor these days.

    8. Re:Could have been done right... by mrmeval · · Score: 1

      I'm sure others will rip this to shreds. Google isn't about your security they're about tracking every fucking thing you do. They made Android open so they could get it on more phones. It was not designed with security in mind. Their app was not designed well as a good security design does not fit their track every fucking thing you do paradigm. Since there is an alleged standard for them to live down to Google won't have to design a truly secure app, just one that meets the standard.

      Real security is hard. I've seen several 'super secure' systems shattered by a paperclip, a sliver of metal, an ice pick, rubber mallet, soldering iron and in one case a truck.

      --
      I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
    9. Re:Could have been done right... by dgatwood · · Score: 1

      Who said anything about lifting the print from the sensor? The owner has been holding the phone. There are bound to be full sets of prints all over it.... Not to mention that glass at the bar, the steering wheel, the door handle....

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. This explains the old Rodney Dangerfield joke by Anonymous Coward · · Score: 0

    Worried about hackers from Eastern Europe, Rodney's dad used to carry around a picture of the kid who came with the wallet.

  9. Bullshit by walterbyrd · · Score: 1, Insightful

    It's actually just the opposite.

    Slashdot publishes google smear stories practically everyday. Including stories with very little credibility, i.e. stories from personal blogs etc.

  10. Lots of good stuff about Google, but . . by walterbyrd · · Score: 4, Insightful

    Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

    I have used google wallet, and I have used paypal. Paypal is *far* superior.

    I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.

    Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.

    1. Re:Lots of good stuff about Google, but . . by Anonymous Coward · · Score: 3, Insightful

      You know Google's failing badly on a project when PayPal has a better product.

    2. Re:Lots of good stuff about Google, but . . by Anonymous Coward · · Score: 0

      Normally I viciously hate you and everything you say to the point of trolling with foul mouthed posts. Today however, I agree with everything you have said here. Good show, sir, good show.

    3. Re:Lots of good stuff about Google, but . . by mackil · · Score: 2

      Their wallet, checkout, or whatever really does suck.

      As a merchant, I've found Google Checkout to be quite useful. It's API has more features than Paypal's, and it's Order Processing interface is far superior to any other I've used. It allows me to send multiple tracking numbers to a customer, which Paypal STILL does not allow. Searching and archiving is far easier in Checkout. And don't forget about speed. Paypal's site is abysmally slow, while Checkout is lighting quick in just about every function. Generating reports is immediate, while Paypal makes you wait anywhere from 10 minutes to 24 hours.

      That being said, their Help and Support is virtually non-existent. No phone support whatsoever. Email support is usually canned answers only. You'll find many forum posts of Google Checkout users begging for help and rarely finding it.

      Checkout definitely needs help, but it has Paypal beat as far as merchants are concerned. Now if only it had Paypal's market share...

    4. Re:Lots of good stuff about Google, but . . by Anonymous Coward · · Score: 0

      The one thing about Wallet that is brain-dead simple is the app. Install, set PIN, add cash/card, tap the PayPass thing. Google Checkout is likewise easy as long as the vendor manages to put the button somewhere visible. As far as the customer experience of these applications go, I think they beat PayPal with a stick because they're very streamlined and easy. What you're describing, of course, is the vendor side of the game.

      It's possible that they wanted major vendors to hop on board first so they can target their development efforts accordingly (it would be in line with Larry Page's current strategy). What they should do soon is make the vendor-side set up simpler-- the catch, of course, is that this part of the process will probably be gummed up by federal and state regulations, working on interoperability with the shopping cart software devs, and negotiations with credit card companies. Here's where their "here's the code, you figure it out" approach to those who want to use Google software to serve users is becoming the thorn in the side for Google.

      Now, PayPal started as a "hey bro can you give me some money for a beer?" service, and so was in a much better position to work its way to online payment services for small businesses. Google, on the other hand, is starting from scratch, and it's entirely possible that they'll drop or sell Wallet/Checkout in a couple of years because competing with PayPal is costing too many resources to be worth it.

    5. Re:Lots of good stuff about Google, but . . by stephanruby · · Score: 1

      Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

      I have used google wallet, and I have used paypal. Paypal is *far* superior.

      No, you haven't used Google Wallet. You've used Google Checkout. Those two are not the same (not yet anyway).

      Google Wallet is an NFC-enabled application (NFC means Near Field Communication). It allows you to tap your phone and pay at the check out counter at a few chain stores. Google Wallet currently requires an Android NFC phone (which represents less than 2% of the install base of Android devices in the US).

      Thus far in the US, only the Nexus S, the Galaxy Nexus, and the HTC Amaze support NFC, but it won't work on AT&T and Verizon since they're blocking it because they'll have their own competing NFC wallet coming out this year (technically, T-Mobile is also part of that ISIS group with the competing product, but T-Mobile hasn't disabled/removed GoogleWallet yet, and I'm not sure if it will ever do). The same goes for the Blackberry Bold and the other Blackberry NFC phones that RIM was hoping it could use it for launching its own NFC-enabled payment platform, but worse, because on those phones, AT&T and Verizon have disabled the entire NFC stack as per my understanding, not just the app that does payment with NFC (please someone correct me if I'm wrong on that one, I'm not up-to-date on the latest Blackberry/RIM news right now).

    6. Re:Lots of good stuff about Google, but . . by Anonymous Coward · · Score: 0

      Google Checkout merges with Google Wallet, completing the inevitable

      By Amar Toor posted Nov 17th 2011 8:44AM

      In a move that has "common sense" written all over it, the folks over at Mountain View have decided to merge Google Checkout with Google Wallet. The marriage hardly comes as a surprise, considering the fact that both services serve essentially the same purpose -- namely, storing all your payment information in one neat little package. To make things even tidier, Big G has just folded Checkout into Wallet, which will soon be integrated within the Android Market, YouTube and Google+ Games, as well. As a result, the Checkout moniker will vanish from the Earth, but current users will be able to seamlessly switch over to Wallet the next time they log in to their accounts or make an online purchase. For more details, check out the source link below.

      http://www.engadget.com/2011/11/17/google-checkout-merges-with-google-wallet-completing-the-inevit/

  11. Pathetic by gweihir · · Score: 1

    You would think that Google has enough money and perks to hire a few really good IT security experts. Apparently they do not have the corporate culture to do so. Pathetic.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Pathetic by AdrianKemp · · Score: 1

      No you're quite wrong there -- they can and ostensibly do hire some really great people (security included). They also hire absolute chaff a lot of the time, but neither of those have anything to do with why wallet and such suck.

      They aren't ads, and they aren't search. Google only actually cares about the stuff that makes them money, or the stuff that could make them money. They've already botched wallet and checkout, just like gTalk the launch was awful in a crowded market and the product is a failure because of it. Since the chances of serious money making are gone so is any likelihood of getting anyone good on the project

    2. Re:Pathetic by gweihir · · Score: 1

      So they have managed to turn themselves into a standard greedy cooperation? No surprise here. Makes sense to me.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Good. Die. by Anonymous Coward · · Score: 0

    Not interested in paying $1000/yr for a data plan so I can spend my money so easily that I'm less inclined to keep track of it, or so that anybody who can hack my overpriced system can spend my money. Die already. Just. Die.

  13. Google is putting their eggs in too many baskets by parallel_prankster · · Score: 1

    Google has been experimenting with so many things lately. They are fiddling with self-driven cars, trying to get into home entertainment system , cell phone business etc. I have been a big fan of google, but lately I have been issues with a lot of their products. This is mostly maintainence stuff but it annoys me, especially considering that the products were good and easy to use in the beginning such that I switched to using google stuff for a lot of my day to day activities; Gmail has become slower and every now and then does something weird which forces me to close/reopen the tab Chrome memory usage has gone way up in case anyone is noticing. With the approx same number of tabs and plugins/extensions etc , I see all the different chrome processes add up to the same amount as firefox or even more. I could have sworn it was lesser around 6 months back. Google talk connection quality has gone down The gmail app on android has a tonne of bugs with respect to syncing and notifications. They keep fixing some and creating some everytime we have a new release. Currently, my android is not showing me notifications from Gmail app. I see them only from the stock email app. Now, google wallet earlier got pretty bad reviews for security and even this time around their ratings were not good. I wonder if they can put their weight behind only some of the items and make sure they get out a good product and maintain it properly would that be a better thing to do. I know they recently cancelled some projects, but they still have a lot of projects in a lot of myriad areas.

  14. Fail by techgeek0279 · · Score: 1

    Not cool at all, product fail.

  15. Requires root by swillden · · Score: 4, Interesting

    The key thing to keep in mind about the various Google Wallet deficiencies is that they all require the attacker to get your phone and root it... and he still has less information about and/or ability to use your card than if he'd gotten your credit card. That's not to say that the Wallet issues don't need to be addressed, but it does mean that carrying your credit card in your phone is more secure than carrying your credit card in your wallet.

    Bottom line: Google Wallet security isn't as good as it could be, but it's still better than plastic.

    Oh, I guess there is one way plastic might be more secure... the phone conducts transactions via RF, so there's still the possibility of someone doing a payment transaction with your phone while it's in your pocket, without your knowledge. Google Wallet addresses that risk in three ways. First, NFC is very short range. 1-2 centimeters with off-the-shelf equipment, perhaps 10 cm in the lab. Second, if your screen is turned off, the NFC payment is disabled. Third, if you haven't entered you PIN in the last few minutes (15?), NFC payment is disabled. In addition, all of the normal credit card risk management infrastructure is still in place, as well as the legal limitations on your liability.

    Honestly, the biggest problem with Google Wallet isn't security, it's acceptance. Unless you want to eat at McDonald's a lot, it's fairly difficult to find merchants who can accept it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Requires root by JStyle · · Score: 2

      Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic

      However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

    2. Re:Requires root by swillden · · Score: 2

      Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic

      Ah... I didn't realize that had been published. I really wasn't trying to hide it, but as a Google employee I have to be circumspect about things that aren't yet public.

      As the Gizmodo article mentions, Google is working on a fix for this which address this issue. In case it's not clear from the article this only affect Google Prepaid card balances. If you've put your Citibank MasterCard in Google Wallet an attacker can't gain access to it. Adding a "real" card requires typing in the card number. It's just for the Prepaid card there's this kind of behind-the-scenes credit card number which is tied to the phone.

      However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

      Right. Just like any other credit card, except that Money Network explicitly agrees to lower your liability to $0 from the legally-allowed $50.

      In practice, what this means is that if someone gets your phone, clears the Wallet app data, then uses Wallet to spend your pre-paid balance, Money Network will give you back the money they spent, transferring it to your new phone.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Requires root by swillden · · Score: 1

      Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic

      Oh, and I should also have said: Still more secure than plastic. Especially if you use the lock screen.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:Requires root by Anonymous Coward · · Score: 0

      No, it's only more secure than the joke swipe cards you use in the US. A pin+chip card is way more secure than the Wallet crap. Plus I don't think I'd feel very comfortable with the Google creeps knowing about every transaction I make with my CC.

      Do you ever get any work done or you just spend your day refreshing /. hoping for more Google stories so you can spew your garbage?

    5. Re:Requires root by bhcompy · · Score: 2

      So you suggest I voluntarily give my credit card information to Google? No, I'll pass. I trust Yahoo more than I trust Google with my personal information, as Google has made it very explicit what they demand from their users recently.

      Little tinfoil hattish, I agree, but meh. Datamining is the primary goal, and from the wardriving we know that personal data privacy be damned.

    6. Re:Requires root by Anonymous Coward · · Score: 0

      If that's the method where the attacker just clears the Wallet data, then all they'll get is your prepaid Google card balance. Any other cards linked to the Wallet app will be unlinked.

      So that's a risk IF the handset owner is naive enough not to set a secure lock screen, and IF he has funds in the prepaid card. It's still a step above your physical wallet getting stolen.

    7. Re:Requires root by Anonymous Coward · · Score: 0

      I use the standard Google "prepaid card" that comes with the wallet application. I add money to it through Visa/MC gift cards I have. I don't know what I'll do when I don't have any gift cards to add, maybe just add some money through my onw bank VC/MC/AMEX I guess. Either way, Goolge does not have my banks CC info as a payment method to use with Wallet, It would only be used to recharge Wallet on occasion. Just like buying something with your credit card but I'm buying value on my Google card.

    8. Re:Requires root by swillden · · Score: 1

      So you suggest I voluntarily give my credit card information to Google?

      Well, if you use Android and buy apps from the Android Market, or buy stuff with Google Books, or through Google Checkout (recently renamed Wallet), or use the paid developer APIs, or... you already have. Google, like any other large on-line seller, routinely manages tens of millions of customer credit card numbers, and has been doing so for years. Google is PCI compliant, and actually goes far beyond PCI requirements in terms of the security precautions it takes. That's the area I work on most of the time, actually.

      What are you thinking Google will do with your credit card number that would bother you?

      Little tinfoil hattish, I agree, but meh. Datamining is the primary goal, and from the wardriving we know that personal data privacy be damned.

      There's no datamining value in acquiring credit card numbers. Really the only use of credit card information is to make charges against it. Google isn't going to start issuing fraudulent charges against your card.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    9. Re:Requires root by swillden · · Score: 1

      No, it's only more secure than the joke swipe cards you use in the US. A pin+chip card is way more secure than the Wallet crap.

      Somewhat more secure, yes, at present. When the outstanding vulnerabilities in Wallet are fixed, the reverse will be true because of the Chip & PIN PIN spoofing attack, which AFAIK still hasn't been fixed (it's an EMV protocol design flaw, so not easy to repair).

      Do you ever get any work done or you just spend your day refreshing /. hoping for more Google stories so you can spew your garbage?

      I've gotten plenty done today, how about you? And can you point out something I've said which is "garbage"?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re:Requires root by Anonymous Coward · · Score: 0

      Surely you would agree that there's data mining value in knowing what, where, and when someone buys something.

    11. Re:Requires root by swillden · · Score: 2

      Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

      BTW, to address this Google has temporarily disabled re-provisioning of Prepaid cards. If you or someone else erases your Google Wallet configuration and then attempts to re-configure it, you will not be able to get your Prepaid card back. Currently-provisioned devices will work as they should, meaning you can add and spend value at will, and new devices that have never been provisioned can be provisioned and will work properly, but any device that once had a Google Prepaid card added to it and then was subsequently wiped will not be able to have the Prepaid card added again.

      This is a temporary situation until the long-term fix can be deployed. This temporary fix is an improvement over the temporary fix deployed late last week, which completely disabled provisioning and balance increases for all Google Prepaid cards (though money already on a card already provisioned on a phone could still be spent).

      The correct, long-term fix will be deployed soon. It will restore the ability to delete and re-provision, but with an authentication step to verify the ownership of the prepaid card before re-provisioning it.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  16. It's just bonch/OverlyCriticalGuy/etc by Anonymous Coward · · Score: 0

    One of the dumbest multi-account trolls ever on Slashdot throwing a tantrum that pretty much everyone quickly caught on to his flood of pro-Apple/anti-Google sockpuppet accounts.

  17. Nothing to do with google by Anonymous Coward · · Score: 0

    Google wallet wasn't even created by google people. It is done by a korean IT company. I interviewed there. I got the drift it would be a 'you work 70 hours a week if you love your job' sort of place. I ran the opposite way. I would say this is more about poor software companies with draconian work conditions producing substandard software than google itself.

  18. Google is still responsible by walterbyrd · · Score: 1

    It is, after all: **Google** Wallet.

    So it certainly has something to do with Google. If it's a Google product, it's up to Google to make sure it works correctly. No matter who Google contracts with.

  19. This pales compared to by Kartu · · Score: 1

    I couldn't care less about nitpicking about how they store it internally. What is a real problem though, that after I buy something using it (from my PC, mind you), 3rd party programs on my Samsung Galaxy Tab suddenly gain rights to charge me, WITHOUT ASKING my password! (brilliant idea, dear Google) Bum, and you've just purchased non-refundable "5000 Happy Stars" for "Sheeps & Clouds" game for mere 7.99 Euro. How on Earth, after the story with Apple losing the case for remembering password for 15 minutes (!!!), could Google decide that remembering it forever is a good idea, is beyond me.

    1. Re:This pales compared to by Anonymous Coward · · Score: 1

      You should probably put a PIN on your market account, and / or not let your kids know your PIN.

      I got burned once when I trusted my 7 y.o. cousin to play with my phone. Proud owner of a few jewels in some game, and a new app.

      It *ALWAYS* asks the PIN whenever you make a purchase through the market; there's no timeout.

  20. Anybody surprised? Google doesn't give a darn ... by Anonymous Coward · · Score: 0

    about security. All they care about is making $$$ and getting as much private information (about the user) that they can use to make more $$$.

  21. Of course ... by Anonymous Coward · · Score: 0

    ... it does have holes: money needs to breathe you insensitive clod. No one wants dead bucks in his pocket.