In its report, the digital forensics company said that Google Wallet only encrypts a user’s credit card number itself - leaving data including the cardholder’s name, transaction dates, the last four digits of credit card numbers, email address and account balances unprotected by encryption.
“While Google Wallet does a decent job securing your full credit card numbers... the amount of data that Google Wallet stores unencrypted on the device is significant. Many consumers would not find it acceptable if people knew their credit balance or limits,” the report said.
Google Wallet is a mobile payment system developed by Google that allows users of its Android operating system to store details of credit cards, loyalty cards and gift cards on a mobile phone. It uses ‘near field communication’ (NFC) enabling its users to make payments by tapping the phone on a checkout terminal equipped with the technology.
The application launched in the US in September this year and currently only supports a limited range of payment options including the CitiBank Mastercard. It could be available in the UK in time for the Olympics in 2012, according to reports.
ViaForensics said that it disclosed its findings to Google at the end of November. The company was issued with an updated version of the application for additional testing which dealt with some of the issues including the creation of a recoverable image of the user’s credit card and allowing data to still be recovered when transactions were deleted or the application reset.
However, it said that “far more sophisticated and comprehensive security analysis” would be needed to see if other security vulnerabilities were present.
Google said that the analysts had used a ‘rooted’ Android NFC phone for their tests, and that no data stored in the application’s secure element was accessed. Rooting is a process that allows users of Android devices access to the operating system’s underlying files, similar to ‘jailbreaking’ a device running the Apple iOS operating system. A rooted phone allows a user to bypass security and other limitations placed on some devices by carriers and manufacturers.
In a statement made to industry trade publication NFC World, Google said that viaForensics’ study “does not refute the effectiveness” of the security built into both its Android operating system and Google Wallet. “The secure element still protects the payment instruments, including credit card and CVV numbers. Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices,” it said.
However Claire McCracken, a technology law expert with Pinsent Masons, the law firm behind Out-Law.com said that it was “surprising” that a new player in the e-payments market seemed to not be taking more care with customer data.
“It surprises me that they are apparently leaving so much data unencrypted as they are relative newcomers to this market and I would have thought they would want to be in a position to show potential customers that such information is secure,” she said.
“People are inherently nervous about disclosure of their personal information so this kind of publicity will do little to persuade people to use the technology.”