We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Google Wallet Suspends Prepaid Credit Card Functions

The move comes following the airing on the Internet of a flaw in the wallet's design.

Google has suspended prepaid capabilities on credit cards linked to its mobile wallet after a security flaw was exposed.

Saturday's move comes following the airing on the Internet of a flaw in the wallet's design that could allow an unauthorized user of a phone to tap into an existing balance on a card by reconfiguring the wallet's settings.

"We took this step as a precaution until we issue a permanent fix soon," Vice President for Google Wallet and Payments Osama Bedler wrote in a company blog.

The security flaw was revealed last Thursday by a blogger identified only as "The Smartphone Champ," who explained that by opening up the settings section on an Android phone and blanking all the settings for a Google Wallet, an unauthorized user could access any balances on a prepaid card previously linked to the wallet.

The disclosure came just a day after security firm Zvelo publicized a method for cracking a PIN for a Google Wallet. What Zvelo found was that the PIN for the wallet wasn't stored in its "secure element" -- an almost impregnable hardware device in the phone -- but in a database protected by the Android operating system. By mounting a brute force attack on that database, a hacker could make it cough up the PIN to the wallet.

A caveat to the attack, however, is that it only works on "rooted" phones, or phones modified by their owners in order to gain greater system access to their mobiles. Rooting is discouraged by phone makers because not only may it void the device's warranty, but it can create security vulnerabilities in the mobile.

Both the flaws found in Google Wallet last week can be foiled if an owner activates the screen lock feature on their phone. That feature requires a PIN to be entered whenever the phone is activated. If an unauthorized person doesn't know that PIN, then they can't get into the phone to work any mischief on it. Many users, though, don't use that feature because they don't want to be punching in a PIN numerous times a day.

It's also important to note that the flaws require an unauthorized party to get physical access to a phone to exploit it. Neither flaw can be performed remotely through malware.

In addition, the vulnerabilities are in the design of the wallet, not in the NFC payment system behind it. If the wallet's PIN, for example, were placed in the payment's system secure element, it would be almost unhackable.

"Google Wallet is still significantly more secure than the credit card you use today, even with this vulnerability in the wild," Zvelo researcher Joshua Rubin told PCWorld.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

See Glasgow 2014 in UHD as history is made