For some reason...
this just doesn't surprise me.
Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder's name, transaction dates, the last four digits of credit card numbers, email address, and account balances. The mobile payment app fails to protect anything beyond the credit card number itself …
Card numbers (Primary Account Numbers) are issued to the banks in bins, each having the same prefix, which can be two to seven digits long (MasterCards start "54xx xx", for instance). This is how your POS terminal tells you you've paid by VISA, VISA Debit, MasterCard or whatever. (And yes, it is a royal pain to keep track of). Think of it as the "Network" portion in an IPv4 address.
If you know who someone banks with, and you know what kind of card it is, you don't have to guess twelve digits at all, just six. Add in the effect of the Luhn checksum rules, and you're down to a very small search space indeed, in which many of the other numbers are valid anyway (you can still find card acceptors in the USA who'll take a PAN on its own for payment)
That's not the point...
With Amazon you need to log into your account /before/ you can access this information. But this information is stored in an unprotected manner on the phone itself, thus /any/ other software on the phone can access it too.
That's only waiting for malware to show up which starts checking up what you bought last week in order to use that information to bring you "personalized advertisement" (spam).
"With Amazon you need to log into your account /before/ you can access this information. But this information is stored in an unprotected manner on the phone itself, thus /any/ other software on the phone can access it too."
Not quite, the information is stored in the applications private storage meaning it is only accessible to third party applications and the user if the device has been rooted.
You know, in relation to credit card data clauses 11.1 and 11.2 of the Google Terms of Service appear to be very entertaining. IANAL, but this reads as Google being able to change your transaction at will, and use your credit card data to sell you whatever crap they feel like :).. Puts a whole new spin on the "I feel lucky" button, doesn't it?
Extract from google.com/accounts/tos :
11.1 [..] By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.
11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.
I had a problem with Google Wallet and visited the website to call the phone number. There is no phone number. I tried to find an email address to write to. There is no email address. There is a javascript'd form submission which will pass your request on directly to the merchant, but you cannot speak to the gods who hold your financial information. I wrote to support at Google but the email bounced.
I removed all my banking information from Google Wallet and will never use it again. Good luck to anyone else who has to speak to the Google gods.