By A good chunk of the smartphone world – Verizon’s Android customers in particular – were in uproar regarding news that their version of the Galaxy Nexus would not be coming with Google Wallet.
We speculated (and still do believe) that their mobile payments partners in ISIS were the leading reason why they were reluctant to provide the service. After all, Sprint is still the only carrier to offer it and they only offer it on one device – the Nexus S 4G.
But they officially cited that Google Wallet was left out due to concerns about security and user experience. The last bit of that – UX – is so broad a term that one could come up with any estimation as to what they mean, but security? Well, that’s a legitimate concern.
Verizon elected not to go into grave detail regarding their security concerns at the time of their statement but we may have a vague look at what’s going on via viaForensics. What they reportedly found is just a bit alarming, if true:
- Google Wallet does securely handle full credit card information
- Certain database writes are unencrypted and can contain troubling information, such as account balances, credit limits, last four digits of a credit card and the expiration date – all pieces of information that can easily be used to social engineer one’s way into fraud.
- This information is only at risk on rooted devices. Still, not good.
There were other security concerns but they have apparently been cleaned up in software upgrades. We assume the issues listed above won’t go long without Google’s attention though there’s no word on what they’ll be doing about it and when.
We’re not sure if this is the type of stuff holding Verizon or any carriers other than Sprint from offering Google Wallet but we can understand why they wouldn’t be comfortable with it.
That’s not to say we know for sure whether or not Verizon will offer this service whenever their concerns are addressed, but we’d at least know there’s a chance. And yes, we’re hoping these findings won’t delay the Galaxy Nexus even further. Just offer Google Wallet in the market and call it a day. [via TheVerge]
hey at least verizon cares about the people out there that are rooted
A lot of this sounds like wheel-spinning to me.
all NFC has major major security loopholes. However, fighting google wallet in support of ISIS is not a solution either.
That’s like “our competitor’s solution is dangerous! try ours instead!” with a used-car salesman pitch to their customers.
don’t forget to throw in the pinstripes as performance upgrades
Come on, you know each stripe adds at LEAST 20HP.
and new muffler bearings and fresh blinker fluid!
ok…so……..it’s just like the PC browser wars. leave it off and let the user decide if he/she wants to take the risk. what’s the big deal?
most of us understand the risk involved with using electronic payments (in any form).
Keyword “most of us”…. It only takes a couple idiots who had there security breached to start a lawsuit against VZW even when they knew all the risk beforehand. I don’t see what the big deal is with Google wallet. Wait until is totally secure then let it on Verizon.
“totally secure” is a fairy tale and simply doesn’t exist in the real world. All we have is “secure enough,” and Google Wallet is secure enough.
And in other galaxy nexus never being released news
Oh Verizon…you are always looking out for us
forgot the
/s
my sarcasm tag stays on by default
;)
What’s the matter Verizon, can’t figure how to install all your bloat-ware and still leave room for Google wallet?
Where’s that gentleman that told me to stick to network security because this was out of my league? It’s not safe, that’s the issue and it’s real like it or not.
What damage can you do with 8999?
oh snap, you’re about to get socially engineered!
Does that come with Verizon Wireless lube?
If you’re talking about a jar of sand, then yes, yes it does.
FUD.
So somebody is going to steal and data-mine my phone just to get the last 4 digits of my credit card and the expiration date? You mean the same data that I leave laying around in restaurants on receipts? I think I’ll be ok, thanks.
not having the lst 4 or expiration date encrypted does not break PCI-DSS, and from what I’m reading, Wallet fully enforces PCI-DSS guidelines and requirements. This is the same standard set for all credit card terminals and POS systems. As long as they are following and enforcing PCI-DSS, then there is nothing to worry about, and I can guarantee they are, because if they were not, they would be hit with so many fines, & lawsuits. Google has partnered with FDR (First Data) to handle Wallet, and FDR is one of if not the biggest processing back-end in the US.
By the by, PCI-DSS = Payment Card Industry Data Security Standard, i.e. the security policies and procedures required for all merchants, ISOs, Processors, etc.. in reference to taking, storing, and using credit card information.
Er, most of that information that they are worried about being unsecure is readily available…. on little pieces of paper already. Last four of a card, on just about any receipt. Account balances? I see people leaving their ATM receipts at the machine all the time with this info on it. Limits? Always on any statement… right next to the full credit card number. Tons of statements to be found in any residential neighborhood mailbox. Expiration date is usually the hardest info to find and those are pretty finite numbers. I call BS on this excuse.
Oh! And then there is the other way to get all that info. Hack TJ Maxx. They’ve been in the news a few times for having their clients’ card info stolen.
F U VZW.
Whether or not there is a security issue with it or not, the choice should still be MINE to use it, not YOURS.
If you want to let your customers use the handsets for free over the life of our contract, then turn them back in when the contract is up, then you have the right to dictate what I do with it. As long as I pay ANYTHING for my phone, the decision should be in the hands of the end user!!!
I would agree with you if stupid people didn’t find a way to find Verizon liable for stolen information. Whether Isis was part of the situation or not, VZW wants nothing on the market that will get them sued. So people on the other side of the spectrum say, if I paid for it, it has to work without a hitch, or I’m owed something.
Although security could be a bit more tightened up with Google Wallet, I think it is secure enough. Almost nobody minds giving their credit cards (including name, number and CC-code) to waiters at restaurants and bars (even leave them behind the bar to keep the tab open). And that’s waaaaayyy more insecure than the issues described in this article.
One thing people have to ask is, am I OK with my data being stored in a foriegn country. Unless you know for sure where this data is stored, you may find that you have no reprecussions should your data be compromised. Different countries have different rules on how data is stored or managed. If you are in Canada and think, I’ll store my data because the laws of Canada protect me, and you later find out that your data is stored in the UK, you will find that the rules of the UK take precidence and the rules of Canada will not help you at all. Becareful when saving data in the cloud and make sure you know where it’s being stored! I won’t use google wallet because I don’t know where the data is going!
Oh is THAT why they left Wallet off? I figured it was something like that… Good ol’ VZW, always putting the best interest of their customers first, no matter the cost.. BTW can I have another hit of acid, please?
Sounds completely PCI compliant to me.
google should have never gave verizon a chance…. smh
I’m a bit disappointed in the way this conversation is going frankly. why don’t we cut through the BS and look at the plain and simple facts that kill Vz’s arguments.
1) as stated in a previous article on the topic, Verizon’s allegation was that the software had to be fully compatible with the hardware and that’s why they didn’t want it on. By stating it’s the hardware on “our phones” they purposely mislead the public; both the hardware(in collaboration with Samsung) and software in this case(the GNex is the only NFC phone Vz has or has lined up so far as I know) were designed by Google.
2) putting aside the fact that this information hardly warrants being called a security breach, as many people have pointed out everyone you hand your card to to pay has all this info and more. this so called breach only occurs on rooted phones, so Verizon’s solution is to make it so that you have to root your phone in order to have wallet.
i have yet to see anyone else address these facts and to me it makes Verizon’s position a non-starter.
To me this is a red herring and no more a security issue than most apps on phones.
Its a verizon deflection in hopes of distracting you from the fact they haven’t talked about what should be the most talked about android phone. Mainly because if they say something it will do nothing but make them look worse. My guess is that by saying nothing its not as bad as if they tell you exactly why they haven’t released the phone. I’m not buying any security issue. Its like telling your user to just reboot your machine and then call back later.
this is dum as hell all of this info is on the front of a cc except the balance also this info is needed to buy stuff Verizon is so full of poo
I really wonder who this study was funded by…sound like a propaganda campaign to me!