Security researchers have discovered that Google’s payment service Wallet several data unencrypted save. That applies, for example, the last four digits of the credit card. Also, transaction data are not encrypted.
According to security firm Via Forensics in addition to these data, the remaining credit on the payment card, payment limits, the locations where the Wallet is used and the name stored unencrypted on the phone. In addition, it is possible to personal data to pick back up after the phone is erased. To do this, Google has a recovery feature built in.
The researchers managed to get the information, but to do this they used a Android phone with roottoegang. Normally, there would be no access to the data, so that the impact remains limited. Attackers can a stolen or found phone however, rooten, to the information. Via Forensics did not succeed in to a man-in-the-middle-attack.
Google showed at Cnet know that the security of the payment service in order, because no access can be obtained to the full credit card number. However, the internetgigant defined the recovery feature in order to change data after a reset, not more, is to pick back up.
Wallet is a payment service for mobile phones, with the korteafstandstechnologie nfc works. This is currently only available for Android and only works in the United States. It is possible that the service in other countries is to be rolled out, but Google must make arrangements with payment providers. Also, it is necessary that stores the service support.
