back to article Google Wallet fails to encrypt punters' personal data

Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances. The mobile payment app fails to protect anything beyond the credit card number itself …

COMMENTS

This topic is closed for new posts.
  1. Spud2go
    Pint

    For some reason...

    this just doesn't surprise me.

  2. Kristian Walsh Silver badge

    Blanking the first twelve digits is not security...

    Card numbers (Primary Account Numbers) are issued to the banks in bins, each having the same prefix, which can be two to seven digits long (MasterCards start "54xx xx", for instance). This is how your POS terminal tells you you've paid by VISA, VISA Debit, MasterCard or whatever. (And yes, it is a royal pain to keep track of). Think of it as the "Network" portion in an IPv4 address.

    If you know who someone banks with, and you know what kind of card it is, you don't have to guess twelve digits at all, just six. Add in the effect of the Luhn checksum rules, and you're down to a very small search space indeed, in which many of the other numbers are valid anyway (you can still find card acceptors in the USA who'll take a PAN on its own for payment)

  3. TonyHoyle

    It's bad practice

    But shops hand out receipts with all but the last 4 digits blanked all the time... nobody complains.

    Log into your amazon account.. it'll tell you the last 4 digits.

    There's lots of precedent for this.. it's not unusual at all.

    1. Anonymous Coward
      Anonymous Coward

      @Tony

      That's not the point...

      With Amazon you need to log into your account /before/ you can access this information. But this information is stored in an unprotected manner on the phone itself, thus /any/ other software on the phone can access it too.

      That's only waiting for malware to show up which starts checking up what you bought last week in order to use that information to bring you "personalized advertisement" (spam).

      1. Anonymous Coward
        Anonymous Coward

        "With Amazon you need to log into your account /before/ you can access this information. But this information is stored in an unprotected manner on the phone itself, thus /any/ other software on the phone can access it too."

        Not quite, the information is stored in the applications private storage meaning it is only accessible to third party applications and the user if the device has been rooted.

  4. Anonymous Coward
    Anonymous Coward

    I am an anonymous lack of surprise.

    Use cash people, stop supporting the banks' silent take over of currency.

    1. Kristian Walsh Silver badge

      Um...

      in the UK at least, cash -- or paper money-- WAS the banks' silent takeover of the currency.

      The Bank Of England was originally a private bank, but was later nationalised. In Scotland and Northern Ireland, commercial banks still issue legal tender notes.

  5. Dan 55 Silver badge
    Trollface

    Don't worry, Google have learnt from Street View

    The first 12 digits are securely encrypted by ROT13.

    1. Anonymous Coward
      Anonymous Coward

      I don't know if you're trying to be doubly funny, or not. But, ROT13 doesn't work on numerics at all.

      1. Dan 55 Silver badge
        Joke

        Would it help that I'd have put encrypted by ROT13 twice for extra security if the article mentioned that addresses were encrypted?

  6. Anonymous Coward
    Anonymous Coward

    All this means is they have complied with pci-dss

  7. Jimbo 6
    Gimp

    Y’know, I *really love* this idea of using my phone to pay for everything, so that when I get blind drunk and lose my phone then I automatically lose my wallet too, but when oh when are they going to include a door-lock-swipe facility so that I can lose my keys at the same time ?

  8. Fred Flintstone Gold badge

    Here's some fun legalese..

    You know, in relation to credit card data clauses 11.1 and 11.2 of the Google Terms of Service appear to be very entertaining. IANAL, but this reads as Google being able to change your transaction at will, and use your credit card data to sell you whatever crap they feel like :).. Puts a whole new spin on the "I feel lucky" button, doesn't it?

    Extract from google.com/accounts/tos :

    11.1 [..] By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

    11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

  9. Nameless Faceless Computer User
    Devil

    Never again

    I had a problem with Google Wallet and visited the website to call the phone number. There is no phone number. I tried to find an email address to write to. There is no email address. There is a javascript'd form submission which will pass your request on directly to the merchant, but you cannot speak to the gods who hold your financial information. I wrote to support at Google but the email bounced.

    I removed all my banking information from Google Wallet and will never use it again. Good luck to anyone else who has to speak to the Google gods.

This topic is closed for new posts.

Other stories you might like