Forensic specialists analyse Google Wallet
According to viaForensics, a US digital forensics and security firm, Google's Wallet mobile payment system contains several security risks. In a post on its blog, the company says that the results are not complete, however, since the analysis "is nowhere near the level of testing an app like this deserves".
With Google Wallet, users can pay for products and services using near field communication (NFC) technology built into devices running the company's Android mobile operating system. This is done by saving credit or debit card credentials to a user's smartphone, holding the NFC-equipped device to a payment terminal and entering a PIN to complete the transaction.
Man-in-the-middle attacks over Wi-Fi failed, both when registering a new Google Wallet account and when adding a credit card to an already existing account. According to viaForensics, the software validates the counterparty’s SSL certificates and refuses to continue when certificates are found to be invalid.
The forensic specialists did, however, make some discoveries in the smartphone's filesystem, although only in areas that require root privileges. There, they found a number of databases that included information such as balance, limit, expiry date and the name on the credit card. They were also able to discover when and where NFC payments were made but could not uncover more than the last four digits of the card number.
In addition, the specialists found that Wallet sends a large amount of data to Google Analytics and creates a number of entries in system logs. The man-in-the-middle attack, for example, led to a stack trace that showed up in the log files, which the blog entry says "is not the best idea [for a frequently used app, since it] may give the attacker info they need to advance their techniques".
viaForensics points out that a complete security analysis would include more extensive testing in areas such as NFC implementation and data transfer decryption. An attack on the Secure Element should also be attempted, since, like a credit card's chip, it includes particularly sensitive data protected by the PIN.