We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Google Wallet Flaw Allows Digital Pickpocket

A newly identified security vulnerability doesn't require a rooted phone, as with an earlier glitch.

A new and troubling, vulnerability in Google Wallet has been exposed. Unlike a low-risk security issue identified yesterday, today's security flaw is described as painfully easy.

Security firm Zvelo yesterday discovered a vulnerability in Google Wallet, Google's NFC payment system, that allows anyone holding an already-rooted smartphone running Google Wallet to access the Google Wallet PIN.

Such a vulnerability allows a hacker to use a Google Wallet-enabled smartphone to maker purchases using the credit card information tied to the NFC chip. However, Google points out that this is a low-risk situation, because it only works if the smartphone has already been rooted (by the owner), and credit card information, while useable, is still secure.

Easy Exploit

Today's more serious glitch is described by smartphone blog The Smartphone Champ,which describes a security flaw in Google Wallet that is "painfully easy to do," requires no extra software (unlike the Zvelo flaw), and does not require a rooted device.

Basically, the problem stems from the fact that credit card data is tied to the device, not a person's Google account. So anyone holding a Google Wallet-enabled phone can change the Google Wallet PIN by going into the application settings menu and clearing the data for the Google Wallet app. Once this is done, the Google Wallet app will prompt the user/hacker for a new PIN.

Because the card data is tied to the device, when the user/hacker adds the Google prepaid card to the Google Wallet app after resetting the data, the old card data will be added to the app. So the user/hacker will now be able to access the card's funds -- although it should be noted that the credit card data will still be secure (but does it really matter if it's secure when someone else can access your funds?).

This vulnerability is a much bigger deal than the Zvelo one, because it's easy to perform (the Zvelo vulnerability required a modicum of hacking knowledge to crack), and it can be performed on any device--rooted or not.

Google's Advice

Google has noted the security flaw and tells PCWorld it's currently working on an automated fix that will be available soon. Meanwhile, Google recommends that all Google Wallet users set up a lock screen as an additional layer of protection for their phone.

Google also strongly encourages users who lose or want to sell their Google Wallet-enabled phones call the Google Wallet support (toll-free) number, 855-492-5538, to disable the prepaid card.

Follow Sarah on Twitter, Facebook, or Google+, and and Today @ PCWorld on Twitter.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

The 13 most inspirational Tim Cook quotes