Google Wallet Users Warned Over Digital Pickpocket Risk
February 12, 2012

Google Wallet Users Warned Over Digital Pickpocket Risk

Security researchers have discovered a vulnerability in Google Wallet software that could allow thieves to gain access to an individual's secret PIN numbers in certain circumstances, various media outlets have reported.

According to PCWorld's Sarah Jacobsson Purewal, the issue with the near-field communication (NFC) payment system was discovered Thursday by representatives of the Internet and network security firm Zvelo Labs.

The exploit allows anyone using an already-rooted smartphone running Google Wallet to access the software's PIN, thus potentially allowing a hacker to use that smartphone to place purchases using the credit card information stored on the device's NFC chip.

"Google Wallet allows only five invalid PIN entry attempts before locking the user out," Zvelo researcher Joshua Rubin said in a blog post, according to a Friday AFP article. "With this attack, the PIN can be revealed without even a single invalid attempt“¦ This completely negates all of the security of this mobile phone payment system."

Rubin demonstrated the technique which allowed a hacker to figure out the identification number in a video posted to the security company's website. He told AFP that he had alerted Google to the vulnerability, and said that the company was working quickly in order to fix the problem.

So how does it work? According to Steve Woods of Blogging Google, essentially it's as easy as resetting the application. Once Google Wallet is restarted, he says, it will ask the user to enter a new PIN. If a thief has access to the phone, they can simply enter a new PIN and potentially gain access to any accounts stored on the NFC chip.

Woods says that criminals may not be the only ones who can access credit card or checking account information in this way, either: "Because your Google Wallet account is tied directly to your smartphone, even people who have legitimately purchased your phone may be able to dig their way easily into your funds, unless you ensure the phone has had your information properly flushed."

Wired's Mike Isaac calls it "an egregious security risk," but said that Google spokesman Nate Tyler told him that the company was working on an automated fix for the exploit that Isaac said should be ready "soon".

On Friday, Osama Bedier, Vice President, Google Wallet and Payments, issued a statement in response to the Zvelo Labs report, assuring users that Google Wallet was safe for mobile payments and that the software even had advantages over physical credit and debit cards and traditional wallets.

The exploit requires the smartphone to have been rooted, and according to Bedier, "in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device," and adds that with Google Wallet, "just like with any other credit card, you can get support when you need it. We provide toll-free assistance in case you lose your phone or someone manages to make an unauthorized transaction."

Currently, Google Wallet only functions with Citi Mastercards or Google Prepaid cards.


On the Net: