updated 01:20 pm EST, Tue December 13, 2011
Google Wallet credit card data too accessible
Research firm ViaForensics has performed a study on a rooted smartphone with Google Wallet preloaded and concluded that the software doesn't encrypt sensitive payment card information. This includes the last four digits of a credit card number, balance, credit limit, expiration date, transactions and other sensitive information. The data is unencrypted and stored in SQLite databases.
Called Forensic security analysis of Google Wallet, the report goes on to say that Google Wallet creates a recoverable image of a credit card. A PIN number is needed to authorize payments, so credit card information is still somewhat secure.
The report also said that the information remains recoverable even after Google Wallet is reset or the transactions are deleted. As such, the report's authors urge anyone who sells their phone to do a full reset rather than just a Google Wallet reset to wipe the data. The team did try to perform a man-in-the-middle type attack over Wi-Fi that tried to perform an account registration when adding a new credit card, and Google Wallet rejected it.
The entire credit card was not accessible, however, as it's stored in a secure element in the NXP chip. The phone tested on was also rooted, meaning the researchers had special access to its features.
A Google representative said the company will make changes to the software to prevent deleted data from being recovered on rooted devices based on this new research.
Google Wallet is available on the Nexus S range of smartphones with the Android OS. It depends on NFC wireless for very short distances. [via CNET]