Google Wallet vulnerable to identity theft attack by rogue apps

By , CardRatings contributor
  • Google +
  • Twitter
  • Facebook

A customer service feature designed to display key account information could leave Google Wallet users vulnerable to identity theft, according to researchers at viaForensics. After viaForensics posted its findings, financial industry trade magazine American Banker interviewed the company's chief investigative officer, Andrew Hoog. While Hoog noted that Google's mobile payment software stores linked MasterCard account numbers securely, he said the system uses plain text files to store other pieces of consumer data, including these:

  • User's name
  • Credit card expiration date
  • Available credit
  • Payment due dates
  • The last four digits of a linked credit card
  • Transaction dates and locations

Hoog suggested that criminals who gather the information stored on a Google Wallet device could launch a social engineering attack against its user by impersonating bank officials. Fraud detection teams at major credit card issuers routinely call consumers to verify unusual transactions, asking questions about the time and date of purchase and verifying that they already know a cardholder's account number. Persuasive criminals could stage official-sounding calls, convincing customers to give up the extra information needed to open fraudulent accounts.

Malware a bigger threat than device theft, researchers say

Though mobile phone carriers and device manufacturers have touted "near field communication" devices like Google Wallet as a major leap in credit card security, technology industry observers warn that developers must stay ahead of skilled criminals. Although phone-based NFC tools can be disabled remotely when phones get lost or stolen, identity thieves may not need to gain possession of a mobile device to access account information.

According to PCWorld's Armando Rodriguez, dozens of seemingly-harmless Android apps already contain malware that can transmit user data to offshore servers. Rodriguez cited Lookout Mobile Security's list of rogue apps that includes titles like "Chess," "Scientific Calculator," and "Spider Man." To avoid becoming a victim of app-based credit card theft, Rodriguez suggests researching application publishers before installing new software on Android phones. Online reviews and security reports can help Android users pick out reputable apps and publishers from a crowded marketplace.

0 Responses to "Google Wallet vulnerable to identity theft attack by rogue apps"

No Comments

Leave a Comment
About Our Ratings ×

Our editors rate credit cards objectively based on the features the credit card offers consumers, the fees and interest rates, and how a credit card compares with other cards in its category. Ratings vary by category, and the same card may receive a certain number of stars in one category and a higher or lower number in another.

The ratings are the expert opinion of our editors, and not influenced by any remuneration this site may receive from card issuers.

Advertisers in our database are highlighted, and advertisements include an option to apply using links on our site. CardRatings.com may be compensated by companies mentioned on the site when a user's application is accepted or approved by such companies.

How do your cards stack up?

Compare your card starting here


Featured Partner Cards