After Rewrites, Google Wallet Still Has Holes

itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."

Re:Slashdot is dead

[SJHillman]

If you don't like it, why are you still here? I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site and the commentary is pretty good if you ignore all of the morons like you. The ability to form your own opinion and present it in a non-troll-like manner still seems to be valued here by a decent majority even if it goes against the prevailing bias.

Paywall?

I think it should be noted that the report is behind a paywall.

Re:Slashdot is dead

[masternerdguy]

I like this place for the discussion - not the news.

Re:Slashdot is dead

You only get pro-Google

At least paste your tripe in an article that's actually pro google nitwit.

Re:Slashdot is dead

[madmark1]

This is going to be one of those moments where I wonder why I bothered, but...

Yes, Google was investigated for the wifi data collection. The FTC investigated, and determined that nothing had been done intentionally, and Google agreed to improve their privacy policies accordingly. You can read that here, should you choose to actually know what's going on.

Yes, Google required real names on G+, and used it as an 'identity service'. What I fail to understand is how that differs than every website in the cosmos requiring me to log in via Facebook. It sucks, but they all do it.

Microsoft used a 90+ percent monopoly in the desktop market to try and dominate the web. Google uses a 60 some percent dominant position (but hardly 'monopoly', given there are several hundred other search engines that could be used) to fund development of a free phone OS no one is required to use. People use it because it works. If Microsoft had provided a browser, but not bundled it in, but given it away for free, there would have been no case against them, just like there isn't against Google now. You aren't required to use Android, there are other options, and you aren't handed a free phone when you visit their search page.

Yes, they injected G+ results in their search results. They did NOT however block results from anyone else like Twitter or Facebook from appearing. They were still in the results. Were G+ results returned with higher rankings? I don't know, never turned that on, and never used G+. Because of that, I never got back search results relating to G+ at all, and as far as I know you can still turn that off, so you don't get them either. I can see why Twitter and the others were butt-hurt about this, it cuts directly into THEIR money, but why are you? Don't like it, SWITCH IT OFF. It hardly constitutes evil to allow you to opt out of something.

Yes, Apple surpassed Android in market share at the end of the year, primarily due to them releasing a new phone. If you want reporting on how the front runner changes every 12 seconds, I am sure there are places for that, but I personally don't care to read how a new vendor 'owns' a half a percent higher share of the market every single day. The first time someone passes the front runner its news. The 27th time they change places, it just isn't.

Perhaps you get modded down on posts like these because you engage in name-calling, present a closed-minded position, assume a victimized attitude, lash out with hate, and refuse to present a reasoned, well argued position? Just a thought.

Lots of good stuff about Google, but . .

[walterbyrd]

Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

I have used google wallet, and I have used paypal. Paypal is *far* superior.

I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.

Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.

Re:Lots of good stuff about Google, but . .

You know Google's failing badly on a project when PayPal has a better product.

Requires root

[swillden]

The key thing to keep in mind about the various Google Wallet deficiencies is that they all require the attacker to get your phone and root it... and he still has less information about and/or ability to use your card than if he'd gotten your credit card. That's not to say that the Wallet issues don't need to be addressed, but it does mean that carrying your credit card in your phone is more secure than carrying your credit card in your wallet.

Bottom line: Google Wallet security isn't as good as it could be, but it's still better than plastic.

Oh, I guess there is one way plastic might be more secure... the phone conducts transactions via RF, so there's still the possibility of someone doing a payment transaction with your phone while it's in your pocket, without your knowledge. Google Wallet addresses that risk in three ways. First, NFC is very short range. 1-2 centimeters with off-the-shelf equipment, perhaps 10 cm in the lab. Second, if your screen is turned off, the NFC payment is disabled. Third, if you haven't entered you PIN in the last few minutes (15?), NFC payment is disabled. In addition, all of the normal credit card risk management infrastructure is still in place, as well as the legal limitations on your liability.

Honestly, the biggest problem with Google Wallet isn't security, it's acceptance. Unless you want to eat at McDonald's a lot, it's fairly difficult to find merchants who can accept it.