After Rewrites, Google Wallet Still Has Holes

itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."

Re:Slashdot is dead

[SJHillman]

If you don't like it, why are you still here? I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site and the commentary is pretty good if you ignore all of the morons like you. The ability to form your own opinion and present it in a non-troll-like manner still seems to be valued here by a decent majority even if it goes against the prevailing bias.

Paywall?

I think it should be noted that the report is behind a paywall.

Re:Slashdot is dead

[masternerdguy]

I like this place for the discussion - not the news.

Re:Slashdot is dead

You only get pro-Google

At least paste your tripe in an article that's actually pro google nitwit.

Could have been done right...

[VoodooTrucker]

You don't even need a secure area on the smart phone. You could put a thumbprint reader on the phone, then generate a hash from the thumbprint, then use that hash to generate a public/private key pair, then encrypt the credit card details with the details with the public key. The phone would never have to store the private key at all. That is just one of many ideas that would help make this secure. Among others: 1. Require a thumbprint *and* a PIN code 2. Have a uber-long password to reset things in case the thumprint or PIN don't work 3. Have a website to blacklist lost or stolen phones, not just some obscure phone number 4. When talking to other NFC equipped terminals, don't send the credit card data. Have the phone sign a "transaction receipt" with your private key. This would prevent replay attacks and no one would ever even have you card number 5. Create a seperate pay-pal like account that users could put limited funds in, so if their phone was stolen, they would only lose the money in that account and in addition, there could be many cool new features: 1. Put NFC readers on laptops, and use the public key idea for online shopping 2. Use your public key for door locks, and throw away your keychain *and* your wallet 3. Keep a list of transaction details on the phone, then sync up to Quickbooks at night This technology could be super cool if they did it correctly, but as usual it seems to be implemented in the most half-assed way possible. Did these guy even contact and independent security firm to audit this before release? Did they hire someone like Bruce Shnier to architect it securely in the first place? Or did they just have a couple of MBAs, junior devs, and a few legal people draw something up on a whiteboard?

Re:Could have been done right...

[dgatwood]

Do you know how easy it is to lift a thumb print? Or how unlikely it is that you would generate the same key from that print reproducibly? Biometrics are less than useless for security purposes because they cannot readily be changed, but can be readily stolen.

The only hardware feature that actually increases security usefully is the use of devices like CryptoCard/SecurID tokens—non-networked devices that produce a different (but predictable) number each time. Unfortunately, it only helps if the bad guys don't know to steal it.

Once the bad guys know to steal it, the only thing standing between them and your money is the account name and a (usually four-digit) pin. They can usually guess the account name; worse, if they have access to your phone, they can probably scrape the account name out of memory. This leaves four digits as the sum total of your security.

This is why large transactions should always be verified with a call to your home phone, and funds should not be transferred until someone gets home and calls the number to verify it, providing the passcode that they leave on your answering machine. And even then, it's probably not all that secure if there is any way to get your home phone number from any card stripe in your billfold.

This is also why credit card companies put the onus of identity verification on the merchant. Unfortunately, for online transactions, fraud is inevitable, which is why some merchants will only ship to the billing address, require a phone call to the billing phone number prior to shipping, etc.

Security is hard. Real security is harder.

Re:Slashdot is dead

[madmark1]

This is going to be one of those moments where I wonder why I bothered, but...

Yes, Google was investigated for the wifi data collection. The FTC investigated, and determined that nothing had been done intentionally, and Google agreed to improve their privacy policies accordingly. You can read that here, should you choose to actually know what's going on.

Yes, Google required real names on G+, and used it as an 'identity service'. What I fail to understand is how that differs than every website in the cosmos requiring me to log in via Facebook. It sucks, but they all do it.

Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used) to fund development of a free phone OS no one is required to use. People use it because it works. If Microsoft had provided a browser, but not bundled it in, but given it away for free, there would have been no case against them, just like there isn't against Google now. You aren't required to use Android, there are other options, and you aren't handed a free phone when you visit their search page.

Yes, they injected G+ results in their search results. They did NOT however block results from anyone else like Twitter or Facebook from appearing. They were still in the results. Were G+ results returned with higher rankings? I don't know, never turned that on, and never used G+. Because of that, I never got back search results relating to G+ at all, and as far as I know you can still turn that off, so you don't get them either. I can see why Twitter and the others were butt-hurt about this, it cuts directly into THEIR money, but why are you? Don't like it, SWITCH IT OFF. It hardly constitutes evil to allow you to opt out of something.

Yes, Apple surpassed Android in market share at the end of the year, primarily due to them releasing a new phone. If you want reporting on how the front runner changes every 12 seconds, I am sure there are places for that, but I personally don't care to read how a new vendor 'owns' a half a percent higher share of the market every single day. The first time someone passes the front runner its news. The 27th time they change places, it just isn't.

Perhaps you get modded down on posts like these because you engage in name-calling, present a closed-minded position, assume a victimized attitude, lash out with hate, and refuse to present a reasoned, well argued position? Just a thought.

Lots of good stuff about Google, but . .

[walterbyrd]

Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

I have used google wallet, and I have used paypal. Paypal is *far* superior.

I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.

Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.

Re:Lots of good stuff about Google, but . .

You know Google's failing badly on a project when PayPal has a better product.

Re:Lots of good stuff about Google, but . .

[mackil]

Their wallet, checkout, or whatever really does suck.

As a merchant, I've found Google Checkout to be quite useful. It's API has more features than Paypal's, and it's Order Processing interface is far superior to any other I've used. It allows me to send multiple tracking numbers to a customer, which Paypal STILL does not allow. Searching and archiving is far easier in Checkout. And don't forget about speed. Paypal's site is abysmally slow, while Checkout is lighting quick in just about every function. Generating reports is immediate, while Paypal makes you wait anywhere from 10 minutes to 24 hours.

That being said, their Help and Support is virtually non-existent. No phone support whatsoever. Email support is usually canned answers only. You'll find many forum posts of Google Checkout users begging for help and rarely finding it.

Checkout definitely needs help, but it has Paypal beat as far as merchants are concerned. Now if only it had Paypal's market share...

Requires root

[swillden]

The key thing to keep in mind about the various Google Wallet deficiencies is that they all require the attacker to get your phone and root it... and he still has less information about and/or ability to use your card than if he'd gotten your credit card. That's not to say that the Wallet issues don't need to be addressed, but it does mean that carrying your credit card in your phone is more secure than carrying your credit card in your wallet.

Bottom line: Google Wallet security isn't as good as it could be, but it's still better than plastic.

Oh, I guess there is one way plastic might be more secure... the phone conducts transactions via RF, so there's still the possibility of someone doing a payment transaction with your phone while it's in your pocket, without your knowledge. Google Wallet addresses that risk in three ways. First, NFC is very short range. 1-2 centimeters with off-the-shelf equipment, perhaps 10 cm in the lab. Second, if your screen is turned off, the NFC payment is disabled. Third, if you haven't entered you PIN in the last few minutes (15?), NFC payment is disabled. In addition, all of the normal credit card risk management infrastructure is still in place, as well as the legal limitations on your liability.

Honestly, the biggest problem with Google Wallet isn't security, it's acceptance. Unless you want to eat at McDonald's a lot, it's fairly difficult to find merchants who can accept it.

Re:Requires root

[JStyle]

Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic

However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

Re:Requires root

[swillden]

Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic

Ah... I didn't realize that had been published. I really wasn't trying to hide it, but as a Google employee I have to be circumspect about things that aren't yet public.

As the Gizmodo article mentions, Google is working on a fix for this which address this issue. In case it's not clear from the article this only affect Google Prepaid card balances. If you've put your Citibank MasterCard in Google Wallet an attacker can't gain access to it. Adding a "real" card requires typing in the card number. It's just for the Prepaid card there's this kind of behind-the-scenes credit card number which is tied to the phone.

However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

Right. Just like any other credit card, except that Money Network explicitly agrees to lower your liability to $0 from the legally-allowed $50.

In practice, what this means is that if someone gets your phone, clears the Wallet app data, then uses Wallet to spend your pre-paid balance, Money Network will give you back the money they spent, transferring it to your new phone.

Re:Requires root

[bhcompy]

So you suggest I voluntarily give my credit card information to Google? No, I'll pass. I trust Yahoo more than I trust Google with my personal information, as Google has made it very explicit what they demand from their users recently.

Little tinfoil hattish, I agree, but meh. Datamining is the primary goal, and from the wardriving we know that personal data privacy be damned.

Re:Requires root

[swillden]

Root is no longer required: http://gizmodo.com/5883913/google-wallet-has-been-hacked-again-now-you-should-panic However, I did just get off the phone with Money Network (the company that manages the Google Prepaid card on Google Wallet. After speaking with them and doing a little reading, I discovered that the phone owner is not liable for fraudulent charges. You must notify them as soon as possible though (855-492-5538, toll free).

BTW, to address this Google has temporarily disabled re-provisioning of Prepaid cards. If you or someone else erases your Google Wallet configuration and then attempts to re-configure it, you will not be able to get your Prepaid card back. Currently-provisioned devices will work as they should, meaning you can add and spend value at will, and new devices that have never been provisioned can be provisioned and will work properly, but any device that once had a Google Prepaid card added to it and then was subsequently wiped will not be able to have the Prepaid card added again.

This is a temporary situation until the long-term fix can be deployed. This temporary fix is an improvement over the temporary fix deployed late last week, which completely disabled provisioning and balance increases for all Google Prepaid cards (though money already on a card already provisioned on a phone could still be spent).

The correct, long-term fix will be deployed soon. It will restore the ability to delete and re-provision, but with an authentication step to verify the ownership of the prepaid card before re-provisioning it.

Re:Slashdot is dead

[Rasperin]

Microsoft wasn't anti-competitive because it was forcing people to use IE to go download FF or whatever and it's a joke the european courts ruled that way. Most peoples response to that article were pretty much indifference with a few anti-MS zealots going another way. The MS bashing on /. have dropped tremendously of recent because apple has been taking a huge part of the marketshare.

You want to know what is anti-competitive? Walled off app markets (Apple/MS), paying major manufacturers to use only your software (MS to DELL, HP, IBM) so that you win 90% of the market and don't give your competitors a chance, not allowing people to work/fix/anything with there own computers (apple), locking your phone into one provider (apple), etc etc etc.

I don't recall the last time google made an OS that could only use google search (even chromeOS offers others on setup, android all you have to go and set the homepage), I don't recall Google paying off HTC, Samsung, etc to make only android only phones and not iPhone or Windows Mobile... This BS about Real Names and stuff like that isn't evil. Don't like, don't use it!