Even after rewrites, Google Wallet retains gaping security holes, mainly due to Android

Google Wallet got patches for some security holes, but still leaves too much data exposed

By  

However, "the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack." – via Forensics, Forensic security analysis of Google Wallet, published Dec. 12, 2011, updated Feb. 8, 2012.

Google Wallet is the first credible mass-market attempt at NFC-based smartphone payment processing programs in the U.S., and won't be the last.

It won't be the first successful version with the weaknesses viaForensics listed, however.

The big question about security isn't about Google Wallet, though. Insecure applications can be effectively locked down in future versions if the vendor is motivated.

Android itself is so opaque in the ways and places it stores data on its users, so insecure and uncommunicative about the access both software vendors and carriers have to that data and so lacking in basic security consumers can apply themselves to feel confident about their own data that I doubt it can be a credible platform for mobile payments.

The easiest way to do it would be to create an encrypted, secured area within the phone that doesn’t feed data to apps, carriers or anyone else without the owner's permission.

So far, even Google Wallet doesn’t appear to be moving toward even that level of aftermarket, kludgy approach to making an open device secure enough to be trusted with more than Facebook logins and Angry Birds scores.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness