Security firm ViaForensics recently said Google Wallet does not properly protect personal data, including credit card balance information, on a rooted Nexus S smartphone. Google Wallet is an NFC-based mobile payment system for Android that is accepted by a number of retailers in the United States. It is currently only officially available on the Nexus S and Nexus S 4G. “While Google Wallet does a decent job securing your full credit cards numbers, the amount of data that Google Wallet stores unencrypted on the device is significant,” ViaForensics said in a recent report. “Many consumers would not find it acceptable if people knew their credit card balance or limits.” Read on for more.
ViaForensics also worries that hackers could use the unprotected information to successfully attack someone using social engineering. A hacker, for example, might call and verify your address, when you last used your credit card, the last 4 digits of your card and the expiration date and ask for your full credit card number.
Only a subset of users — those with rooted devices — should be worried, however. “The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet,” Google said in a statement provided to CNET. “This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV number. Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.” Google also said that another security issue revealed in the ViaForensics report has already been addressed in a software update.