Security Firm Questions Google Wallet Data Storage

Google Wallet stores a lot of unencrypted data that could be used in a social engineering attack against the device owner.

Security firm viaForensics reports that Google Wallet has failed its test because the app stores large amounts of unencrypted data on the consumer's device. Unencrypted information stored within Google Wallet includes credit card balance, limits, expiration date, name on card, transaction dates and locations and more. Unfortunately, the ability to use this data in a social engineering attack against the consumer directly or a provider is rather high.

For those unfamiliar with Google Wallet, it's a new service that allows consumers to use their Android device to perform contact-less payments at retailers by using Near Field Communication (NFC) technology. Currently Google Wallet only supports one major credit card along with a handful of gift and loyalty cards.

According to the firm, when transactions are deleted or Google Wallet is reset, the data is still recoverable. Even more, the name on the card, the expiration date, last 4 card digits and registered email account are all easily recoverable -- but Google Wallet does not store the user's entire credit card number.

"While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card)," the firm reports. "Many consumers would not find it acceptable if people knew their credit card balance or limits."

A Google representative responded to the report on Tuesday, claiming that the sensitive data can only be retrieved from a rooted phone.

"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet," said spokesperson Nathan Tyler. "This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge."

But malware like Droid Dream can get past Android security and grant root access to the phone. Once that happens, the pool of data collected by Google Wallet would be sufficient to launch a social engineering attack. As an example, a hacker could send someone a message containing information about their transactions and balance, and that the hacker needs to confirm their card number.

"The fact that the sender knew you had conducted a transaction that afternoon would convince most people that it was legitimate," said Andrew Hoog, chief investigative officer at viaForensics.

To read the entire report, head here.