Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances. The mobile payment app fails to protect anything beyond the credit card number itself, …
For some reason...
this just doesn't surprise me.
Blanking the first twelve digits is not security...
Card numbers (Primary Account Numbers) are issued to the banks in bins, each having the same prefix, which can be two to seven digits long (MasterCards start "54xx xx", for instance). This is how your POS terminal tells you you've paid by VISA, VISA Debit, MasterCard or whatever. (And yes, it is a royal pain to keep track of). Think of it as the "Network" portion in an IPv4 address.
If you know who someone banks with, and you know what kind of card it is, you don't have to guess twelve digits at all, just six. Add in the effect of the Luhn checksum rules, and you're down to a very small search space indeed, in which many of the other numbers are valid anyway (you can still find card acceptors in the USA who'll take a PAN on its own for payment)
It's bad practice
But shops hand out receipts with all but the last 4 digits blanked all the time... nobody complains.
Log into your amazon account.. it'll tell you the last 4 digits.
There's lots of precedent for this.. it's not unusual at all.
That's not the point...
With Amazon you need to log into your account /before/ you can access this information. But this information is stored in an unprotected manner on the phone itself, thus /any/ other software on the phone can access it too.
That's only waiting for malware to show up which starts checking up what you bought last week in order to use that information to bring you "personalized advertisement" (spam).
"With Amazon you need to log into your account /before/ you can access this information. But this information is stored in an unprotected manner on the phone itself, thus /any/ other software on the phone can access it too."
Not quite, the information is stored in the applications private storage meaning it is only accessible to third party applications and the user if the device has been rooted.
I am an anonymous lack of surprise.
Use cash people, stop supporting the banks' silent take over of currency.
in the UK at least, cash -- or paper money-- WAS the banks' silent takeover of the currency.
The Bank Of England was originally a private bank, but was later nationalised. In Scotland and Northern Ireland, commercial banks still issue legal tender notes.
Don't worry, Google have learnt from Street View
The first 12 digits are securely encrypted by ROT13.
I don't know if you're trying to be doubly funny, or not. But, ROT13 doesn't work on numerics at all.
Would it help that I'd have put encrypted by ROT13 twice for extra security if the article mentioned that addresses were encrypted?
All this means is they have complied with pci-dss
Y’know, I *really love* this idea of using my phone to pay for everything, so that when I get blind drunk and lose my phone then I automatically lose my wallet too, but when oh when are they going to include a door-lock-swipe facility so that I can lose my keys at the same time ?
Here's some fun legalese..
You know, in relation to credit card data clauses 11.1 and 11.2 of the Google Terms of Service appear to be very entertaining. IANAL, but this reads as Google being able to change your transaction at will, and use your credit card data to sell you whatever crap they feel like :).. Puts a whole new spin on the "I feel lucky" button, doesn't it?
Extract from google.com/accounts/tos :
11.1 [..] By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.
11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.
I removed all my banking information from Google Wallet and will never use it again. Good luck to anyone else who has to speak to the Google gods.
- Breaking news: Google exec veep in terrifying SKY PLUNGE DRAMA
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Google chief Larry Page gives Sundar Pichai keys to the kingdom
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL