Google Wallet Stores Some Payment Card Data In Plain Text
December 17th, 2011Via: Dark Reading:
Google’s much-anticipated mobile payment application locally stores some sensitive user information unencrypted, such as a cardholder’s name, transaction dates, email address, and account balance, new research released today reveals.
Researchers from viaForensics tested the security of Google Wallet — which lets consumers transact credit-card charges, redeem gift cards, and use loyalty membership cards in stores from their phones — on rooted Android smartphones and found that the app leaves sensitive data in the clear. While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app’s local SQLite database.
The good news is that viaForensics confirmed that the app does repel man-in-the-middle attacks, and is protected by a PIN to conduct transactions with the cards.
But the apps’ SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates — information that viaForensics says could be used, for example, as a way to social-engineer the actual credit-card account from the cardholder.
