Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Wallet Stores Card Data In Plain Text

samzenpus posted more than 2 years ago | from the read-it-and-weep dept.

Android 213

nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."

Sorry! There are no comments related to the filter you selected.

Wow (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#38394554)

I had no idea they were such stupid niggers!

Re:Wow (-1, Offtopic)

xushi (740195) | more than 2 years ago | (#38394742)

Interesting... is such racism allowed in Slashdot ?!

Re:Wow (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#38394906)

Are you new here?

Not tooo worried about this one (4, Informative)

bobwrit (1232148) | more than 2 years ago | (#38394560)

At least it's not storing, oh say, your login details in plain text... which certain(*cough* Sony) companies do. The details that it stores aren't anything that can be actually used to formally break into an account(yeah, sure, it can be used for stalking purposes/phishing, but that's almost always a vulnerability).

Re:Not tooo worried about this one (-1)

Anonymous Coward | more than 2 years ago | (#38394650)

hmm google fanboy... no problem here! look over there at a problem! goog iz teh beztzors!

Re:Not tooo worried about this one (-1, Flamebait)

bonch (38532) | more than 2 years ago | (#38395048)

Geez, way to spin it.

Re:Not tooo worried about this one (3, Informative)

Anonymous Coward | more than 2 years ago | (#38395090)

Sure, mr. Apple Fan, storing the same last 4 digits that are printed on every receipt is a security nightmare. Google is EEEEVIL. EEEEEVIL, I tell you!

"Way to spin it" is what article summary and headline do.

Re:Not tooo worried about this one (4, Informative)

Fritzed (634646) | more than 2 years ago | (#38395108)

One important difference is that in the credit card industry there are published rules that you must comply with called the Payment Card Industry Data Security Standard (PCI-DSS), or in the case of an application, Payment Application Data Security Standard (PA-DSS). If TFA is accurate, then Google Wallet is not following the PCI guidelines.

However, it is worth noting that even if they ignore all of the best practices, they are probably technically in the clear right now. Mobile Applications are currently exempted from PCI and PA enforcement pending an update to the rules. As they are currently written, they acknowledge that they were not designed with mobile devices in mind. Mobile payment application developers are encouraged to follow the general guidelines of PCI, but they are somewhat left to their best judgement.

Re:Not tooo worried about this one (0)

Anonymous Coward | more than 2 years ago | (#38395204)

Yet, even with their multiple security problems, sheeple rush to buy SONY products :(

Re:Not tooo worried about this one (4, Informative)

unapersson (38207) | more than 2 years ago | (#38395316)

The passwords were *cough* hashed. I suppose that's a kind of plain text.

Re:Not tooo worried about this one (2)

abigsmurf (919188) | more than 2 years ago | (#38395630)

Except Sony hashed the passwords, encrypted the CC info and didn't store the security codes.

How long has it been and people are still spreading the "ZOMG PASSWORDS IN PLAIN TEXT!!" rubbish?

Re:Not tooo worried about this one (1)

Anonymous Coward | more than 2 years ago | (#38395836)

Which one of Sony hacks are you talking about? There were something like ten break-ins in different parts of Sony conglomerate, with different amount and value of stolen info in each case.

For example, in this instance [troyhunt.com] they didn't.

Re:Not tooo worried about this one (4, Interesting)

History's Coming To (1059484) | more than 2 years ago | (#38396362)

My bank stores my password in plain text. It's clearly not even hashed as they only need (eg) the third and fifth characters to give me access. I queried this with them and the person couldn't understand what I meant, and I wasn't allowed to talk to anyone who might understand for "security reasons". Interesting policy.

NFC (5, Funny)

ferrisoxide.com (1935296) | more than 2 years ago | (#38394562)

No Fucking Clue?

Re:NFC (2)

CodeReign (2426810) | more than 2 years ago | (#38394608)

Nearfeild communication 1-4 cm transmission devices. Like pay pass.

Re:NFC (0)

sidthegeek (626567) | more than 2 years ago | (#38394634)

whoooooosh...

Re:NFC (0, Offtopic)

phonewebcam (446772) | more than 2 years ago | (#38395154)

That's what Apple tells its users when they ask why it wasn't on the iPhone 4S. The one with the tiny screen. And no 4G. Thankfully all that will change next summer when it will of course be trumpeted as a fantastic innovation on the iPhone5 and Apple can begin the busy work of suing everyone else copying their work.

Actually NFC is even funnier than that - they way the rollout is going you'll soon have checkouts offering "Fast Phone Payments" or however they spin it, so those with the right equipment (cough!) can zip past those standing in line next to them at the regular checkout with their fingers in their ears going "la la la la don't need that la la la pretend we're outside an Apple store la la la".

Re:NFC (0)

Anonymous Coward | more than 2 years ago | (#38395638)

Your obsession with Apple is unhealthy.

Re:NFC (1)

WrongSizeGlass (838941) | more than 2 years ago | (#38396138)

Your obsession with Apple is unhealthy.

You know the old saying: An Apple rant a day ...

Re:NFC (-1, Flamebait)

peragrin (659227) | more than 2 years ago | (#38395798)

except NFC payments aren't faster than say swiping a credit card.

on the phone the payment will need to be authorized so you have to enter a pin there, and then you will still have to sign the store copy as well. I have used pay pass, and it is seldom faster than actually swiping or using cash.

Not to mention most phones aren't in your hands but in a pock or purse and just as hard to get out as a wallet.

Finally I picked the iphone 4S because it was smaller, it fits into my pants pocket, and I don't need a purse to carry it. Unless your a sized 40+ waist your pants just aren't big enough for most android phones. hmmm no wonder why android is popular on slashdot.

Stupid headline (5, Insightful)

Ultra64 (318705) | more than 2 years ago | (#38394568)

"Stores Card Data In Plain Text"

isn't quite the same thing as

"suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number"

Re:Stupid headline (2, Informative)

Anonymous Coward | more than 2 years ago | (#38394622)

RTFL: "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext."

Re:Stupid headline (5, Informative)

Anonymous Coward | more than 2 years ago | (#38394658)

Neither statement is completely clear, but as I see it Google Wallet is storing (some) data about the card in plain text, which may be enough for anyone that discovers it to obtain further details about that person and their card from the financial institution via social engineering.

To me this means if you lose your phone, it may have enough information on it to enable the finder to then get your credit card details through social engineering.

Re:Stupid headline (2)

AmiMoJo (196126) | more than 2 years ago | (#38395044)

That's why it is important to report it lost as soon as possible.

Lost credit card statements are worse as if intercepted in the post because you won't even realise it until it has been missing for a few days.

Re:Stupid headline (3, Insightful)

neokushan (932374) | more than 2 years ago | (#38395314)

I'm curious as to what social engineering technique could be used to find a card number? I have never seen a website that will reveal credit card info as anything other than **** **** **** 1234, nor have I ever heard of a bank that will give out your number over the phone. The only thing they ever do is post you out a new card and disable the current one.

Seriously, phone up your bank and say "Hey it's Mr Smith here, I left home without my card today and I absolutely must buy this cute thingymabob on the internet, I know the last 4 digits are 1234 but that's it - could you help a brother out?" and see what happens. Then there's the CVN which shouldn't be stored in ANY payment system - except maybe the card authenticator themselves (i.e. Visa/Mastercard).

Re:Stupid headline (4, Insightful)

WrongSizeGlass (838941) | more than 2 years ago | (#38396236)

I'm curious as to what social engineering technique could be used to find a card number?

The target is not the bank or credit card company - it is the owner of the phone ... and remember, it doesn't have to work often (or on /.ers):
- Someone with malicious intent gets your Google Wallet info from your phone (either via malware or acquiring your phone).
- They contact the owner of the phone claiming to be from one of the stores that is listed in the plain text Google Wallet transaction history.
- They tell the owner of the phone that their records show that your Google Wallet was charged <insert excessive amount here by moving the decimal two places to the right> and surely that amount is not correct.
- They blame the error on the new payment technology (e.g., "they still haven't worked all the bugs out", etc).
- The remind the owner of the phone to pay close attention to their next statement just in case this happened with any other retailer.
- They tell the owner of the phone that they need the CC# and CCV to issue the credit because "they don't store that information for security reasons".
- If they've played their role correctly the owner of the phone may provide the requested information.

Re:Stupid headline (2, Insightful)

um... Lucas (13147) | more than 2 years ago | (#38396268)

Phone call:

" hi this is the chase anti fraud department. We've noticed some suspicious activity on your account. Can you verify if you initiated the following charges? Oh you did that's great. I just need to verify if you're in possession of your card right now. Can you please read the 16 digits off the front of it for me?"

I wouldn't fall for it. You and most slashdotters probably wouldn't either. But rest assured there are still millions who would. Those same people who go clicking every link they find in their emails, I'm sure a few of them would succumb to this sort of attack. Letting the their get enough information about you so that they can sound like the should have this info is a bad thing.

I'll jump on the band wagon that says this is incredibly irresponsible. Especially if it's tri that the program is x"protected by a PIN". The developers recognized that the program stores and accesses vital data, but didn't take the next step of insuring access too all of its data would be blocked without that pin.

Oh that's right. It's safe because only someone with root access can access it. Even though rooting an android phone is hardly rocket science. (that last statement is conjecture since I no longer use an android)

Re:Stupid headline (1)

mjr167 (2477430) | more than 2 years ago | (#38396350)

I'm pretty sure they can do that without whatever info google wallet stores. All they need to do is pick a major bank in the area and chances are a good number of people will have an account there. Or just watch the US mail... Ever think about how much your postman knows about you?

Re:Stupid headline (4, Insightful)

Splab (574204) | more than 2 years ago | (#38395844)

If I have your mobile phone with access why would I bother trying to get to your creditcard when I can get pretty much anything I want - it has access to E-mail, SMS, friends and family.

I could just try and grab all your passwords, getting to your online email client before you do I can probably change settings enough for you to be unable to quickly recover anything. From that point I can start initiating scam mails at your friends and family.

Having a credit card number is only useful for a limited time; having access to all your personal data will enable an attacker to keep stealing.

Re:Stupid headline (5, Informative)

stephanruby (542433) | more than 2 years ago | (#38394722)

Also it cites the PCI standard, but that applies only to a full credit card number that has been transmitted already.

In this case, it only keeps the 4 digits of the card number and the expiration date in plain text on your own phone. It's not bad compared to a regular wallet that will keep the full credit card number, the expiration date, the full name, and the verification code as well, all written in plain text on some flat piece of plastic.

Re:Stupid headline (3, Insightful)

Nick Ives (317) | more than 2 years ago | (#38394844)

Oh, so this is on a users phone? (Yea I didn't read FTA).

If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.

Re:Stupid headline (0)

Anonymous Coward | more than 2 years ago | (#38394912)

Not so fast.

If the user data is encrypted with a user-supplied password (even if it is automatic and partially use the login password as a source), then even if you are root, you cannot decrypt the data.

It's like when your Home folder is encrypted; you can force-change the password if you have root access, but then, the data is not decrypted.

Re:Stupid headline (2)

kwark (512736) | more than 2 years ago | (#38394970)

The plain text stored passwords and the card details are not really comparable.
The plain text passwords for certain services have to be unlocked at boot to make these services function, they have to be kept open for background use even the phone interface might be locked (just like the home dir). The card details can be kept encrypted at all times except when actually being used, which should always happen interactively.

Re:Stupid headline (1)

sangreal66 (740295) | more than 2 years ago | (#38394960)

This 'social engineering' attack requires root on the user's phone as well by the way. A lot of effort just to get someone's credit card number.

Re:Stupid headline (2)

swillden (191260) | more than 2 years ago | (#38396374)

Oh, so this is on a users phone? (Yea I didn't read FTA).

If so, this is right up there with the previous scandal about Android keeping passwords in plaintext. In that case you had to be root to gain access them, meaning whether or not they were stored as plaintext would be a moot point. If you're root, then surely you can do anything including invoke any methods used for decryption. Same goes for this.

Root access is also required for this attack. Without root, a person with your phone can't get the unencrypted data. Rooting the phone via normal means (i.e. not exploiting some other security defect) will wipe the data.

Re:Stupid headline (1)

Threni (635302) | more than 2 years ago | (#38395594)

> Also it cites the PCI standard, but that applies only to a full credit card number that has
> been transmitted already.

No it doesn't. PCI also relates to storage of information.

Although you're quite right about the harmlessness of storing the last 4 (and the first 6, come to that) digits in plaintext. That it could be argued that this faciliates 'social engineering' scams is neither a PCI compliance issue nor is it Google's fault/problem. You could just as well suggest that a phone number, surname etc be kept secret for that reason.

Re:Stupid headline (2)

phantomfive (622387) | more than 2 years ago | (#38394846)

The following is the data listed by the article as being stored in plain text:

[data] such as a cardholder's name, transaction dates, email address, and account balance

Maybe enough for social engineering, probably not.

Why is it a stupid headline? (1)

bonch (38532) | more than 2 years ago | (#38395070)

I'm confused because you don't explain why "Stores Card Data In Plain Text" is a stupid headline. The statement you apparently cited as evidence restates that the data is stored in plain text and therefore may be vulnerable to social engineering attacks. Are you suggesting the headline is somehow contradictory to that? I mean, they both say that the data is stored in plain text, so what exactly is stupid about the headline?

Re:Why is it a stupid headline? (0)

Anonymous Coward | more than 2 years ago | (#38395240)

Because headline suggests "Swipe his phone and you've got his bank account in your hands" when it's "Swipe his phone and you've got a piece of information for further social engineering".

Re:Why is it a stupid headline? (1)

bonch (38532) | more than 2 years ago | (#38395388)

The headline merely says the data is stored in plain text, which is true. There is no further implication made.

Re:Why is it a stupid headline? (2, Informative)

WrongSizeGlass (838941) | more than 2 years ago | (#38396294)

The headline merely says the data is stored in plain text, which is true. There is no further implication made.

It should say "Stores Some Card & Transaction Data In Plain Text".

The headline was provocative and misleading because Google Wallet does not store the card number or CCV in plain text, both of which are considered the most important elements of card data.

This type of plain text data storage - even if it is just exp date, transaction dates & amounts, etc - is irresponsible, but TFA also said they needed to root the phone and get past Android security and Google security layers. Of course, if someone targets this data via malware that uses an exploit allowing root access then we're talking a whole different kettle of fish.

Re:Stupid headline (0)

dvdwholesale3 (2432850) | more than 2 years ago | (#38395226)

P90x is an extremely intense program.Sheer will and determination may get you to the finish line,but to achieve the best results,you’ve got to have the proper quality and quantity of nutrition.We make these supplements optional,so you have a choice.But know that P90x supplements were designed for this program and will supply your body with the necessary nutrients to give you added strength energy,and stamina for each workout. As you may notice from the math on the following pages,P90x is not bulit around adaily “calorie deficit” for weight loss like the general Beachbody plans found in Power 90,Kathy Smits’s Project :You!Type 2,and Slimin 6.It’s important that you understand why ,so you have the right training mentality with this program ,with the right expectations. http://wholesalers-dvds.com/24-thrillers-crime-mystery-dvds- [wholesalers-dvds.com]

Re:Stupid headline (0)

Anonymous Coward | more than 2 years ago | (#38395328)

But the apps' SQLite databases resident on the Android phones included credit-card balance, limit, expiration date, cardholder name, and transaction locations and dates -- information that viaForensics says could be used, for example, as a way to social-engineer the actual credit-card account from the cardholder.

Bitcoin is more secure than ACH (3, Funny)

Todamont (1034534) | more than 2 years ago | (#38394582)

Bitcoin uses encrypted wallets which are not linked to your name or address. It is the strongest computer in the world and it supports p2p DNS through namecoin. It is much more secure than online banking with ACH, and much harder to usurp than centralized BIND servers. Plus they won't print 1,000,000,000,000 of them this year.

Re:Bitcoin is more secure than ACH (-1)

Anonymous Coward | more than 2 years ago | (#38394606)

And yet they're still useless....

Re:Bitcoin is more secure than ACH (1)

mark_elf (2009518) | more than 2 years ago | (#38394712)

... It is the strongest computer in the world...

I'm scared of this.

Re:Bitcoin is more secure than ACH (2)

Capitaine (2026730) | more than 2 years ago | (#38395430)

"HAL, would you please let me open my wallet?"

Re:Bitcoin is more secure than ACH (3, Insightful)

cvtan (752695) | more than 2 years ago | (#38396048)

I'm sorry, Dave. I'm afraid I can't do that...

Re:Bitcoin is more secure than ACH (1, Funny)

Anonymous Coward | more than 2 years ago | (#38394994)

Bitcoin uses encrypted wallets which are not linked to your name or address. It is the strongest computer in the world and it supports p2p DNS through namecoin. It is much more secure than online banking with ACH, and much harder to usurp than centralized BIND servers. Plus they won't print 1,000,000,000,000 of them this year.

Thank you for paying with BitCoin now just have a seat over there while we wait for your 6 confirms then we will cook your burger...

Re:Bitcoin is more secure than ACH (1)

Anonymous Coward | more than 2 years ago | (#38395816)

Why would anyone require a much higher certainty from Bitcoin transactions than credit card transactions? In the latter case, you'll have to wait 6 months pending eventual chargebacks.

In Bitcoin's case it's enough to see that there was no duplicate TX being performed, thus the waiting time should be a few seconds at most.

No kidding. (5, Insightful)

SeaFox (739806) | more than 2 years ago | (#38394592)

viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.

Correct me if I'm wrong, but isn't social engineering the art of tricking people into giving information or access they wouldn't normally? If the security is breached through human gullibility I don't see what method of storing the data is going to protect against that, unless it's storing it where nobody but PCs have access to it and no humans have access to said PC's.

I can socially engineer the card holder to give me their card info and you can't encrypt against that.

Re:No kidding. (3, Insightful)

geminidomino (614729) | more than 2 years ago | (#38394602)

I think the point being that if you can trick someone into giving you a file that they don't know contains their credit card number in plain text, unlike giving you the card number directly, they don't even know what you have.

Re:No kidding. (5, Insightful)

caladine (1290184) | more than 2 years ago | (#38394614)

I think the point was that it makes it easier to pull off the "social engineering" if you have access to information only privileged parties should have. They should still be encrypting the locally stored data, and it's just lazy not to.

Re:No kidding. (4, Insightful)

Jah-Wren Ryel (80510) | more than 2 years ago | (#38394630)

You are only seeing the little picture. The idea is that if someone can get ahold of this data (like say they snatch your phone) then they can use that data to trick you into believing that they are someone trustworthy, like a rep at your bank.

For example, they get your payment transaction history and then they call you up - tell you your transaction history as a means of authenticating themselves as someone who works for your bank and then get you to disclose your online banking username and password, at which point they empty your entire savings account.

Re:No kidding. (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38394688)

Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up about your Google Wallet account?

Credit card transaction data is not that hard to get by just going through someone's trash too. This isn't really a new problem.

Re:No kidding. (5, Funny)

JWSmythe (446288) | more than 2 years ago | (#38395076)

Wouldn't you be kind of suspicious if your phone gets snatched and suddenly someone calls you up

    That'd be a really cool trick.

Re:No kidding. (0)

um... Lucas (13147) | more than 2 years ago | (#38396324)

You're missing the point. They're not calling about google wallet. They're calling about your credit card. You might inquire as to why the phone theft and cc are related and the "rep" would just say "some phone apps store credit card information on the device", and then proceed to read off a list if your recent transactions to "verify" you.

As I said earlier most of us won't fall for this but if you think no one will, then you over rate the intelligence of the human race. Best not to leave that data available to be found in the first place... The fix for this is just a single additional step, it shouldn't have even been an issue.

Re:No kidding. (2)

SeaFox (739806) | more than 2 years ago | (#38394746)

You shouldn't trust they are who they say they are if they call you anyway. Lots of people throw out old bank statements without shredding them, and even if they did with their bank statements collecting enough random receipts all paid with the same debit card would give you enough transactions for a time period to make you sounds official. You should request to call the bank back about the matter and then dial them yourself -- from a known general customer service number for the institution, not a direct number the caller might give you.

Re:No kidding. (1)

sangreal66 (740295) | more than 2 years ago | (#38394982)

Indeed, but if someone steals your phone and it isn't protected they probably have a lot more information than what is being described here. The information stored is about the same as you might find on an ATM receipt with the addition of the expiration date. All of which I can probably get from your e-mail/facebook/sms/etc

Re:No kidding. (1, Insightful)

maiki (857449) | more than 2 years ago | (#38394858)

I can socially engineer the card holder to give me their card info and you can't encrypt against that.

Compare:

"Hey man, could I borrow your phone for a sec to call home? Mine ran out of battery."

"Hey man, could I see your credit card for a sec? (Mine ran out of money...)"

It's easier to agree to the first one.

Re:No kidding. (4, Funny)

JWSmythe (446288) | more than 2 years ago | (#38395098)

It all depends on your definition of social engineering. I find the best results come with a $5 wrench and a few minutes in an alley. People become very cooperative to anything you ask for.

Nothing to see here, move along... (5, Informative)

Anonymous Coward | more than 2 years ago | (#38394618)

It stores the last 4 digits of the credit card, so you know which card was used in your google wallet. My telephone company does this, as does paypal if I remember correctly. Whilst it may not be stored easily in plain view of anyone, I think someone breaking into either of those accounts would be more likely than someone first stealing my phone, rooting it then access the sqlite DB.

To be honest, I am more afraid of my local 7/11 employee who swipes my credit card every day in plain view when I buy milk, newspaper and mamma noodles. I think even some POS systems display the card number on their terminal screen!

These days, I think most credit cards have secondary verification systems in place so even if someone did get my card number, it would be very difficult to use. I already have a hard enough time booking airline tickets online and trying to remember what my Verified by Visa password is. Stupid story and I read somewhere that even some stupid phone provider in the US (Verizon maybe?) has delayed the sale of the Nexus because of this.

Re:Nothing to see here, move along... (0)

Anonymous Coward | more than 2 years ago | (#38395222)

amazon too

Social Engineering (5, Funny)

asdbffg (1902686) | more than 2 years ago | (#38394620)

Caller: Hi, I'm calling from... er... Google... and it says here in this text file that you have a credit card number on file with us. Is that right?

Victim: Yes, that's right.

Caller: Cool. Would you mind giving me that account number so I can verify your identity?

Victim: Let me get my card...

Re:Social Engineering (2)

sidthegeek (626567) | more than 2 years ago | (#38394654)

Victim: Funny, this guy with a Nigerian accent called me yesterday and said the same exact thing! Well, here you go... *reads number loudly into cellphone in a public area*

Re:Social Engineering (3, Insightful)

hawguy (1600213) | more than 2 years ago | (#38394828)

I think it goes more like this:

Caller: Hi, this is Judy from Visa. We have reason to believe that your credit card number has been stolen, do you have the card in your possession now?

Victim: Yes

Caller: Can you verify that the last 4 digits are 1234?

Victim: Yes, that's my card

Caller: Can you verify the answer to your security question?

Victim: My mother's maiden name is "Cartwright"

Caller: yes, that is correct, thank you for verifying your identify. Our system has detected $17,372 of fraudulent charges on your card. but don't worry Mr Smith, we can immediately block the card and reverse the charges. We'll just need to you read the full 16 digit card number and security code so we can get started.

Many people will fall for the scam - the caller obviously knows the last 4 digits of their card number and their security question. (which, of course they don't, but it sounds like they do), so they must be legit.

Re:Social Engineering (2)

tagno25 (1518033) | more than 2 years ago | (#38395454)

Last 4 digits and issuer are printed on most receipts. Sometimes even the name and expiration date are printed.

Re:Social Engineering (3, Interesting)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38396096)

I don't answer the questions. I say "I'll save us both some time. If this is a sales call, I'm not interested, and you should remove my details from your marketing list. If there is an issue with my accounts, I'll call the number on my bank statement, because frankly I don't trust cold callers. Which is it?"

They seem quite accommodating. They've done their job by contacting me, and I avoid all social engineering attacks.

It's the last 4 digits (5, Insightful)

hawguy (1600213) | more than 2 years ago | (#38394646)

From TFA:

While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database.

The same last 4 digits that are printed on your credit card receipts and show up as plain text on many web sites that store credit cards.

Doesn't seem like a big deal - people should know better than to give their card number to someone that has the last 4 digits of their card number since they could have gotten them anywhere. (or just guessed - send a spam email to 10 million people with a randomly generated 4 digit number, and you'll have guessed right for 1000 of those people.)

Re:It's the last 4 digits (1)

Lando (9348) | more than 2 years ago | (#38395042)

More than that because you would say card ending in xxxx and since people have multiple cards the hit ratio would be a bit higher.

And so? (5, Insightful)

Cyberax (705495) | more than 2 years ago | (#38394648)

And so what? Your phone must be able to decode the stored data, so it must somehow acquire decryption key.

That means that this decryption key must be transmitted over the network or stored on the device itself. And if it's stored on the device, then the whole encryption scheme is nothing more than complex obfuscation.

Re:And so? (1)

icebraining (1313345) | more than 2 years ago | (#38395352)

Well, they could possibly encrypt it with your PIN, no? Although since AFAIK most people use 4 digit PINs, it'd take about a second to decrypt it.

Re:And so? (0)

Anonymous Coward | more than 2 years ago | (#38395936)

Using a 4 digit pin to encrypt 4 digits of data is actually as secure as it gets. You'll have 9999 keys that gives 9999 seemingly valid outputs. Of course, if someone knows the last four digits of your credit card they can figure out what your PIN is.

Slashdotters don't hate Google enough... (1)

webanish (1045264) | more than 2 years ago | (#38394662)

...to start raising big concerns after reading just the title and not RTFA.

Re:Slashdotters don't hate Google enough... (0)

Anonymous Coward | more than 2 years ago | (#38395170)

bonch's trying, but as other apple b-boys aren't here - i mean basilbrush, bitztream, pretty sure there were some more apple lovers with nick starting with b - he's not trying too hard.

strange that insightin140bytes didn't show up, it'd be a perfect place for his usua easily disprovable fud postings.

So what? (1)

MisterJohnny (2029510) | more than 2 years ago | (#38394698)

So what if it's stored in plaintext on the phone itself? What matters is what's transmitted off of the phone.

Re:So what? (2)

hawguy (1600213) | more than 2 years ago | (#38394760)

So what if it's stored in plaintext on the phone itself? What matters is what's transmitted off of the phone.

I think it matters because if someone's phone is lost or stolen (or infected by malware) they don't want the card number to be stolen.

Re:So what? (1)

icebraining (1313345) | more than 2 years ago | (#38395362)

Thankfully the CC number isn't stored, only the last four digits.

Not very clear. (1)

AftanGustur (7715) | more than 2 years ago | (#38394788)

iaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number.

This is very, very vague.. Something as simple as a email address could be used for this purpose.

It's not plain data! (1, Funny)

martin-boundary (547041) | more than 2 years ago | (#38394824)

It's not plain data!

It's rot32 encrypted.

*twice*.

'Cause it's the only way to be sure...

Re:It's not plain data! (1, Funny)

Frankie70 (803801) | more than 2 years ago | (#38395004)

It's not plain data!

It's rot32 encrypted.

rot32 was broken 6 months back. I have moved to rot128 since then. It is 4 times stronger - sure it takes a little more power, but I can sleep well at night now.

Re:It's not plain data! (0)

Anonymous Coward | more than 2 years ago | (#38396018)

I think you mean ROT26 and ROT104 ....

not first NFC payment system on android (0)

Anonymous Coward | more than 2 years ago | (#38394852)

Android phones in here in japan have had mobile suica using sony felica NFC comms since early 2011...(toshiba, panasonic, sharp, etc)
This might be the first to use the samsung/google nfc tech, but definately definately not the first NFC payment system on androidn

This isn't exactly a security risk. (0)

idbeholda (2405958) | more than 2 years ago | (#38394908)

Leaving a receipt laying around from an ATM transaction is more worrisome. Even then, a bank rep wouldn't need to ask you for your card data, considering they already have it on file. Anyone who falls for a social engineering trick in which the operator requires data is clearly a fool.

For when you are too lazy..... (4, Informative)

Anonymous Coward | more than 2 years ago | (#38394966)

to even follow the link and lookup the summary..... here it is:
- A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.
- The name on the card, the expiration date, last 4 card digits and email account are all recoverable
- [Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.
- The Google Analytic tracking provides insights into the Google Wallet activity. While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)
- [Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits). While this is not enough to use a card, it’s likely enough to launch a social engineering attack.

So it is as safe as anything else you use to pay stuff!
Shit... it is easier to just swipe someone's credit card bill! ^^

Did you hear that loud sucking sound? (-1)

Anonymous Coward | more than 2 years ago | (#38395208)

That was the sound of Fandroids rushing to get SECURE phones running iOS, Windows Mango or anything, just ANYTHING other than the Android.

This arrogant misstep by the Google is the first nail in their coffin. Google is the new Standard Oil.

PCI DSS (1)

Anonymous Coward | more than 2 years ago | (#38395332)

Do you also feel that there aren't enough different three letter acronyms?

Re:PCI DSS (1)

heathen_01 (1191043) | more than 2 years ago | (#38396378)

Yes, Three is the holy number, no more, no less.

www.bangtoysmall.com (-1, Troll)

toysmall (2513806) | more than 2 years ago | (#38395340)

Lovely bear keychain, so convenient and beautiful! As the gifts send to your friends, classmates and lovers. You are worth it! More surprise on the www.bangtoysmall.com It's the right toys mall [bangtoysmall.com] ! http://www.bangtoysmall.com/ [bangtoysmall.com] toys shop toy store novelty toy

Same as a sales receipt (1)

sl4shd0rk (755837) | more than 2 years ago | (#38395392)

FTFA: "While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database."

Sheesh, big deal about nothing. You know how many gasoline sales receipts end up in the garbage can next to the automated upmp.

You know what else store CC numbers in cleartext? (4, Insightful)

HaeMaker (221642) | more than 2 years ago | (#38395464)

My credit card.

I'm going to steal someone's phone to get their credit card number? Why not take their wallet?

Re:You know what else store CC numbers in cleartex (0)

Anonymous Coward | more than 2 years ago | (#38396146)

Agree. I'm already carrying my credit card around unencrypted anyway. If NFC becomes widespread I can stop using the physical card and only risk losing 4 digits.

Re:You know what else store CC numbers in cleartex (1)

Mithent (2515236) | more than 2 years ago | (#38396192)

Valid point. This does smell a little of "security flaws" which start with "first, get root access"... ("It rather involved being on the other side of this airtight hatchway" [msdn.com] , as Raymond Chen puts it).

If you have someone's phone or trick them to run code on it that steal their Wallet database, that can be used to obtain some information which you might be able to use to trick them to revealing their credit card details? It's possible, but rather convoluted, and requires the user to make mistakes more than once; I'm sure there are far easier ways to commit fraud.

fucMk! (-1)

Anonymous Coward | more than 2 years ago | (#38395558)

having lost 93% 3hich don't use the arithmetic, clearly. There Reald problems that

I don't want Wallet, thus stopped buying from Mark (0)

Anonymous Coward | more than 2 years ago | (#38395706)

I don't want to use Wallet, it's too intrusive and I have to give too much information to them.

For this reason I have stopped buying apps from the Market. I don't like this, but I don't want Wallet.

When I pay for an app, the only thing needed should be my CC number. No street address, no phone number, etc. That's the dealbreaker.

I'm not defending Google but... (5, Informative)

JohnnyMindcrime (2487092) | more than 2 years ago | (#38395710)

...I do work in security for a telecoms product manufacturer and maintainer and there are a HUGE number of companies out there that store credit card data in plain text.

However, you cannot just look at that one particular issue to make a determination as to whether or not the data is secure - it's also about how the system on which that data is stored is isolated from the real world, what firewalling and access controls are in place to restrict who can get to that data, whether or not they update the systems regularly, etc. etc.

This is NOT a security exploit, there's no report of any security hole that makes that data available to the rest of the world, unlike what happened to Sony - so some prespective needs to be put on this.

Any wise company conducts regular Risk Assessments on their infrastructure to determine what potential security risks exists, how big those risks are and how much it will cost to fix it. In this particular case, it might be that using encrypted credit card information might entail having to upgrade very expensive applications to a later version, all of which will factor into the cost of fixing the issue. If Google has determined that the risk of an outside party getting to that data is extremely low, then they may not consider it worth the expense of the upgrade.

Every company will do this, even Apple and Microsoft, and many of them do choose to adopt PCI (Payment Card Industry) guidelines on storing this kind of data correctly.

It could be argued that someone stealing a file of encrypted credit card data from a company is a much bigger issue than someone (so far) not being able to steal unencrypted data from a company - so it's always wise to put some perspective around these kinds of statements.

Which idiot posted this!?! (0)

Anonymous Coward | more than 2 years ago | (#38395784)

Google Checkout (now Google Wallet) is PCI DSS compliant as a Level 1 processor.

Given their compliance, no one has any basis to question the understanding the Google Wallet team has of PCI DSS requirements.

As someone responsible for PCI DSS compliance at their organisation, I can confirm that Google are not doing anything wrong here. Whoever posted this needs to do some reading, understand what they've posted and apologise.

Whoever accepted this submission for publishing needs to do the same.

Did these journalists ever study security? (1)

fedorfedor (838521) | more than 2 years ago | (#38396098)

They say the info is only available if the device has been rooted: the malicious software has root access. And their "solution" is that Google should store the local data in encrypted form. Anyone notice a fundamental flaw in this "solution", or heck, in the assumptions underlying their alleged problem?

If you rooted your device and therefore you disabled the security, what good is encrypting data locally? Any hack worth its salt would... well, I won't elaborate, but to software running as root, by definition, any locally accessible data and software is accessible. (And of course the same goes for an attacker having leisurely physical access to the hardware.) Basic security facts.

Honestly this all strengthens the argument for keeping all sensitive data only & always in the cloud: then the meagre security of your local device (pc, phone, whatever) might well not be the weakest link in the chain. This aspect did get a brief mention in the article, sort of, but it should have been the focus.

Re:Did these journalists ever study security? (0)

Anonymous Coward | more than 2 years ago | (#38396316)

> If you rooted your device and therefore you disabled the security

It doesn't quite work this way. "Rooting" is basically like adding user to sudoers file, IYKWIM. You don't get every application running as root afterwards, but you get the ability to let them. With a GUI su wrapper, you get a nice popup "Application X wants to get root access, accept? Y/N/[x] Remember this choice", optionally with PIN confirmation

So? (1)

Kartu (1490911) | more than 2 years ago | (#38396132)

The last 4 digits of your credit card number, that are often printed on your receipts as "plain text" are also stored as plain text by Google Wallet.
So?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?