A customer service feature designed to display key account information could leave Google Wallet users vulnerable to identity theft, according to researchers at viaForensics. After viaForensics posted its findings, financial industry trade magazine American Banker interviewed the company's chief investigative officer, Andrew Hoog. While Hoog noted that Google's mobile payment software stores linked MasterCard account numbers securely, he said the system uses plain text files to store other pieces of consumer data, including these:
- User's name
- Credit card expiration date
- Available credit
- Payment due dates
- The last four digits of a linked credit card
- Transaction dates and locations
Hoog suggested that criminals who gather the information stored on a Google Wallet device could launch a social engineering attack against its user by impersonating bank officials. Fraud detection teams at major credit card issuers routinely call consumers to verify unusual transactions, asking questions about the time and date of purchase and verifying that they already know a cardholder's account number. Persuasive criminals could stage official-sounding calls, convincing customers to give up the extra information needed to open fraudulent accounts.
Malware a bigger threat than device theft, researchers say
Though mobile phone carriers and device manufacturers have touted "near field communication" devices like Google Wallet as a major leap in credit card security, technology industry observers warn that developers must stay ahead of skilled criminals. Although phone-based NFC tools can be disabled remotely when phones get lost or stolen, identity thieves may not need to gain possession of a mobile device to access account information.
According to PCWorld's Armando Rodriguez, dozens of seemingly-harmless Android apps already contain malware that can transmit user data to offshore servers. Rodriguez cited Lookout Mobile Security's list of rogue apps that includes titles like "Chess," "Scientific Calculator," and "Spider Man." To avoid becoming a victim of app-based credit card theft, Rodriguez suggests researching application publishers before installing new software on Android phones. Online reviews and security reports can help Android users pick out reputable apps and publishers from a crowded marketplace.