Stung by two instances where Google Wallet was hacked, Google defended its mobile payment service and claimed it is safer than using credit cards to pay for goods.
Google Wallet is a mobile payment app that communicates with smartphones equipped with near field communications (NFC), a short distance wireless technology. The app runs on Sprint Nexus S 4G smartphones, which users may tap against a cash register to pay for goods at some 20 retailers and restaurants.
The app, designed to let shoppers leave the wallets, cash and credit cards at home, is protected by a PIN code and the phone’s lock screen.
However, two separate security researchers last week cracked the PIN code used to secure Google Wallet.
On 9 February, web security provider Zvelo found a way to execute a brute-force attack on the Google Wallet PIN code. Zvelo engineer Joshua Rubin said the Wallet-bearing smartphone needs to be rooted by the user or someone who has physical access to the device to divine the PIN code.
Google said it “strongly discourages” users from disabling the PIN code in order to gain root access to their phone because the product is not supported on rooted phones.
“That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device,” Bedier wrote.
In the other attack, the SmartphoneChamp blog on 10 February detailed how a user who finds a lost Wallet-enabled smartphone that is not protected by a screen lock can clear the data associated with Wallet from the phone’s application settings menu.
What this does is prompt Google Wallet to reset itself and ask the user for a new PIN the next time it is launched. A user can simply create a new PIN and associate a Google PrePaid card to the app to access all previously available funds.
Bedier acknowledged this issue, saying Google temporarily disabled provisioning of prepaid cards as a precaution until Google issues a permanent fix.
“You can be confident that the digital wallet you carry provides defences that plastic and leather simply don’t,” Bedier said.
This is an allusion to the notion that the more wallets stay at home, the fewer will get lost and pose security issues related to lost credit cards.
However, if researchers keep poking holes in Wallet, whether they use tricks to unlock PINs or not, the less credible Wallet’s security will seem. This will be problematic at a time when Google is fighting to expand the service and help it proliferate in commerce markets worldwide.
In general, NFC-based mobile payments are expected to boom over the next five years, though they have been slow to pick up steam in some markets including the US.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
This is going to be hard blow for Google Wallet in its early stages of mass adoption. However, it does build some good rapport for Google that it would address and take care of a security hole. After the Carrier IQ scandal, it would be a very bad PR move for Google to ignore this security issue.
Sarah
Mosaic Technology
http://www.mosaictec.com