Quite a while ago, Google Wallet was brought into the world. It’s a payment system that essentially saves your payment data and allows you to use your smartphone to purchase things instead of pulling out a thin piece of plastic (in this case, a pretty piece of glowing plastic). Sadly, though, some vulnerabilities have been found that allows someone to access your data which was supposedly secure.
Google Wallet, to protect your data from malware, uses a “Secure Element” to store your account data. The protection to prevent unauthorized access is a PIN security system. It’s theoretically safe but theory rarely meets reality. Exactly how easy is it to penetrate the defense?
Turns out that it isn’t difficult at all right now.
There are currently two vulnerabilities found for Google Wallet’s PIN system. The first one is extremely simple and requires NO ROOT. It works by essentially wiping out the previous application data. By doing this, the PIN is efficiently wiped out and the app will ask the user to set up a new PIN. Viola, the payment system becomes open for anyone to use and funds can be drained like a wrung sponge. The second exploit, on the other hand, takes the guess-and-check method to a modern level. Security researchers have found a locally-stored hash in the Google Wallet code that allows someone to brute-force crack the PIN without being detected. Any modern processor will crunch through the possible codes in very little time.
Google has a fix on the way but can’t implement it ASAP due to a “change of agency” regarding who’s responsible for keeping the PINs secure. Google or the banks? The biggest issues fall into the fact that it involves the companies who have their hand in Google Wallet. For now, Google advises users not to root their device, set up a lockscreen lock and if they were to lose or sell their phone to call 855-492-5538 to disable the prepaid card.
Source:[ Zvelo, Android Guys, The Smartphone Champ via Pocketnow]