Two days ago security firm, Zvelo, discovered and reported to Google that the security PIN system that Google Wallet users have to enter to verify transactions, could be compromised. The wallet application saves your PIN in an encrypted file on the phone itself, and not the secured NFC chip, so if your phone falls into the wrong hands, that person could lift your PIN file from the phone and simply crack it using a bruteforce attack. If successful this person would then have full access to your Wallet account.
Because of the Wallet’s security architecture, the change will require a fundamental rejiggering of the security protocols, according to Zvelo. Google responded and said that “The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device”.
So if you haven’t rooted your phone you should be fine, right? Turns out this is not so, because now a new method shown at thesmartphonechamp.com. Because of a security vulnerability in Google Wallet that effects all users, regardless of if they are rooted or not, someone can get access to your Google Wallet without even the need for bruteforcing.
Continue reading “Google Wallet security flaw also on non-rooted devices.”