Experts at forensic security company viaForensics made a startling discovery about Google Wallet recently. The revolutionary mobile app that allows users to store credit card information and make payment transactions simply by tapping their mobile phone at the point of sale stores a vast amount of the cardholder`s personal information in an unsecure format. With the exception of the actual credit card number and the CVV number – the 3 or 4 digit number found on the front or back of a card that proves to merchants during CNP sales that the buyer actually has the card in his or her possession – all other data stored is unencrypted. The “other data” in question includes names, addresses, credit card limits, transaction times, PIN numbers, etc. This makes an alarming amount of information available for hackers to help themselves to with relative ease.
The chief investigative officer at viaForensics responsible for the discovery is Andrew Hoog. He performed two very basic tests on Google wallet using a rooted Sprint Nexus S mobile device to try out its security and the app failed on both counts.
Firstly, the app caches data directly on the user`s phone. If the user were to lose the phone or have it stolen, whoever were to retrieve it would be able to access the data. Secondly, the majority of the data that is stored is not encrypted. While Google Wallet keeps credit card account numbers along with the corresponding CVV codes on an encrypted portion of the NFC chip, the rest of the information is left unencrypted. Some of the information is even recoverable upon deletion of the transaction, such as the last four digits of the account number, the card`s expiration date and the name imprinted upon the card.
Fixes suggested by Hoog are to either encrypt all the data or else not to cache data on the mobile device. Upon his alarming security discoveries he spent a week with Google discussing his concerns regarding Google Wallet`s vulnerabilities.
“While it`s nearly impossible to provide 100 percent secure systems, it`s pretty attainable to developed reasonably secure systems,” said Hoog, according to PCMag.