Two days ago security firm, Zvelo, discovered and reported to Google that the security PIN system that Google Wallet users have to enter to verify transactions, could be compromised. The wallet application saves your PIN in an encrypted file on the phone itself, and not the secured NFC chip, so if your phone falls into the wrong hands, that person could lift your PIN file from the phone and simply crack it using a bruteforce attack. If successful this person would then have full access to your Wallet account.
Because of the Wallet’s security architecture, the change will require a fundamental rejiggering of the security protocols, according to Zvelo. Google responded and said that “The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device”.
So if you haven’t rooted your phone you should be fine, right? Turns out this is not so, because now a new method shown at thesmartphonechamp.com. Because of a security vulnerability in Google Wallet that effects all users, regardless of if they are rooted or not, someone can get access to your Google Wallet without even the need for bruteforcing.
The security flaw now discovered is so easy to utilize that is almost scary. It does not require root access, special software or technical skills, all you need is access to the phone it self. The way Google Wallet works is that it’s tied to the device itself, and not tied to your Google account. So if you can get the PIN for the Google Wallet, or a new PIN, you will have access to the Wallet tied to the device. If you drop your phone, and have no additional security features active that prevents access to the phone menus, all a person that finds the phone needs to do, is go into the application settings menu and clear the data for the Google Wallet application.
After clearing the data the Google Wallet application will be reset and will prompt for you to set a new PIN the next time you open it. Choose a new PIN, and the application starts. Because Google Wallet is tied to the device, you can now add the Google prepaid card, and it will add the card that is tied to that device. It takes just a few minutes, so anyone having access to the phone could quite easy have access to your Google Wallet.
Google have already issued a statement regarding the new method:
We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.
See a demo from thesmartphonechamp.com here: