New security flaw discovered in Google Wallet
Feb. 10, 2012
A new security hole was discovered in Google Wallet by The Smartphone Champ, and unlike Thursday's efforts which required root access to the phone and some rather harsh brute force, this security flaw simply involves asking the phone to reset the application data.
Doing that deletes the stored PIN (personal identification number) but not the credit card details themselves, so a new PIN can be entered by the hacker and new credit card transactions instantly become possible.
Google has apparently responded with a statement to this, providing a phone number (855-492-5538) which you can call if you're planning to pass the mobile handset to a friend, or worse, in the event that your phone is stolen.
Google will then disable the prepaid card and its NFC feature to prevent the phone from being used to pay for items using NFC technology.
It's easy to see how this situation has come about, although a bit more difficult to fully understand why Google didn't detect this security flaw earlier.
The Android application manager allows a user to clear app caches, then delete all information belonging to a specific application, as well as uninstalling the mobile app, and we already know that the Google Wallet app actually writes the user's PIN in a stored file, so deleting the data wipes the PIN altogether.
However, the credit card details themselves aren't stored in the phone's filesystem. Instead, they're stored safely in the Secure Element, so they don't get deleted when the application data is removed.
Run the Google Wallet after removing its data, and it assumes it's being run for the first time, and dutifully asks the user to create a PIN. Then ask it to add a prepaid card and it happily finds one already installed in the Secure Element and readies it for its use.
But some might argue that none of this makes Google Wallet any less secure than a real wallet, in fact it remains slightly more secure, and it's typical of the teething problems one hits when implementing such a complicated architecture, involving banks, payment processors and various trusted third parties.
And it's rather embarrassing and could risk the future of a technology which is already proving surprisingly difficult to manage, let alone have users adopt it.
It will be interesting to see how Apple responds to this in its soon-to-be-released iPhone 5. Some say that NFC technology will already be incorporated by Apple into the new device, along with a few other nice features which for now still need to be discovered.
In other internet security news
A group of hackers claim that they successfully hacked into Chinese contract manufacturer Foxconn yesterday, and a long list of email log-ins and intranet passwords were posted online. If this is true, it could cause many fraudulent orders for the company. And Apple is one of Foxconn's largest customer.
In a lengthy message posted to Pastebin, the hacking group Swagg Security claimed the attack on Foxconn. Although they described Foxconn’s dubious track record on the company's poor working conditions at length, the group said this was not the primary motive for the attack on its servers.
The message read: "Although we are considerably disappointed of the working conditions at Foxconn, we are not hacking a company for such a reason and, although we are slightly interested in the existence of an iPhone 5, we are not hacking for that reason either."
And it continued: "We hack for the cyberspace who share a few common viewpoints and philosophies. We enjoy exposing governments and corporations, but the more prominent reason, is the hilarity that ensues when compromising and destroying an infrastructure. How unethical right?"
Internet-Security.ca tried to contact Foxconn’s Shenzhen headquarters in China for confirmation but had not heard back at the time we posted this.
But according to their Twitter feed, the hackers gained access to Foxconn’s network via an outdated security vulnerability in a version of Internet Explorer which was extensively being used internally by the company.
The information posted online includes mail server log-in and username credentials, as well as various log-ins for procurement sites and intranets which Swagg Security claimed “could allow individuals to make fraudulent orders under big companies' names such as Apple, Microsoft, IBM, Intel, Dell, HP and a few more”.
“But Foxconn did have an appropriate firewall, however. The issue is that we were able to bypass it almost flawlessly,” the hackers explained in their note.
“Of course with the funding by ourselves, we did have our limitations. However, with several hacking techniques employed and a couple of days in time we were able to dump most of everything of significance nevertheless.”
Other security experts were able to verify that the stolen log-ins worked on more than one Foxconn server. Foxconn does appear to be taking measures to lock down its systems, however. Swagg Security tweeted on Thursday morning that the company had closed the compromised services.foxconn.com by saying: “Guess you guys made one too many orders”.
F-Secure chief research officer Mikko Hypponen says that, looking at the data released by the hacktivists, Foxconn wasn't following network security best practices. "If you do a Google search for the site: services.foxconn.com, you'll see that they had a file uploading service there for their partners," he said.
"So my best guess at this stage would be that the hackers managed to upload something malicious on the services.foxconn.com servers and somehow used that to gain access into the system."
The news comes as pressure mounts on Apple and other big tech companies to clamp down on conditions in supplier factories, in an effort for better and safer working conditions in Foxconn factories.
This morning, concerned Apple customers will drop off over 250,000 signature petitions in cities across the globe including New York, London and Sydney, registering their strong disapproval of supplier working practices, mostly directed at Foxconn, but there are also a few other contract manufacturers as well that are also being targeted.
Overall, Foxconn usually comes in for the most abuse, and understandably so, given that lucrative contracts with big names such as Apple, Dell, Intel and Microsoft have made it one of the largest electronic component manufacturers on the planet.
In other internet security news
A job-hunting hacker in Hungary who tried to get a job with the Marriott Hotel by hacking into the chain's network before offering to sort out the resulting mess has been found guilty of hacking and attempted extortion, and will have to spend the next 2 1/2 years in a U.S. federal prison.
Aged 26, Attila Nemeth did admit to sending Trojan-infected emails to workers at the hotel late in 2010, allowing him to access back end servers from PCs he managed to infect.
Nemeth then extracted sensitive data which he threatened to reveal unless the hotel chain offered him a job maintaining Marriott's computer systems.
Marriott responded to the event by reporting Nemeth to U.S. authorities, which ran a sting operation. Nemeth entered into an email and phone conversion with a U.S. federal agent posing as a hotel manager before he was persuaded to travel to the United States, ostensibly to attend an all-expenses-paid job interview.
Under the disguise of a Marriott job interview, Nemeth was coaxed into explaining how he hacked into the company's computer systems. He was subsequently arrested and charged with computer crime and extortion.
Nemeth then pleaded guilty to both crimes last November prior to a sentencing hearing last week, where he was sentenced to 2 1/2 years behind bars.
Marriott Hotels estimates that Nemeth's hacking attempts resulted in expenses of between $400,000 and $1 million in consultant expenses and other costs associated with determining how much damage the hacker might have caused.
Source: The Smartphone Champ.
You can link to the Internet Security web site as much as you like.