A study by the security firm viaForensics found “the amount of data that Google Wallet stores unencrypted on the device [cellular handset] is significant (pretty much everything except the first 12 digits of your credit cards)” and that data could be used by an attacker to steal from the wallet’s user. “Many consumers would not find it acceptable if people knew their credit card balance or limits,” says the study about the data. Knowing a user’s name, when they have used their card recently, the last four digits on their card and its expiration date and then add in to other information that is generally available online an attacker is “well armed” for an assault, says the firm.
In response Google points out that viaForensics used a so-called rooted phone (a device over which the security firm had privileged control) in its test and even under those conditions the wallet’s secure element was still not breached. Also, other aspects of the wallet’s security such as storing passwords and its defence against so-called man-in-the-middle attacks over Wi-Fi (where the attacker inserts himself into an exchange between two other users) received a thumbs up from viaForensics.
The security firm also made an interesting general observation. The largest security risk from apps using NFC is from the apps themselves and not from the wireless technology, says the firm.