Google has gone ahead and disabled the provisioning of new prepaid cards on their NFC-based payment system, Google Wallet. The move by Google comes after two vulnerabilities were discovered that allows an individual to either crack the Google Wallet PIN, or completely reset the pin.
Note: If you currently have a prepaid card, you can continue to fund and use it. No new prepaid cards will be offered until a fix for these issues are available.
The first vulnerability was discovered by Joshua Rubin, a software engineer at zvelo, a malware analytics group. Joshua created a program that easily cracks the 4-digit Google Wallet PIN. In order for Google Wallet’s PIN to be cracked using Joshua’s method, an attacker would need to have access to a rooted phone that didn’t have some sort of screen lock enabled.
Google responded to the vulnerability by issuing the following statement:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
A day after the first vulnerability was revealed, a second vulnerability was brought into the spotlight that didn’t require the phone to have root access. With this second vulnerability, one can simply go into the phone’s application management screen and clear the Google Wallet app data. Once the app data for Google Wallet is cleared, simply open up the app, create a new 4-digit pin, and restore the prepaid card that is tied to the Google account.
After this second vulnerability was made public, Google decided to go ahead and shut down the use of pre-paid card in Google Wallet until a permanent fix was made available. Here is what Google had to say about the prepaid cards and Google Wallet:
we also take concrete actions to help protect our users. For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon.
In addition disabling provisioning of prepaid cards, Google also reminded us that Wallet is still safe enough for mobile phone payments. After all, the application is protected by a 4-digit PIN, as well as the phone’s lock screen. In addition, Google discouraged users from rooting their phones because doing so disables important security mechanism. And just like traditional credit cards, if you have a NFC-equipped phone that uses Google Wallet, Google urges you to call their toll-free hotline incase you lose your phone.
Overall, I think that the whole Google Wallet PIN vulnerability issue has been blown out of proportion. Just like when you lose your wallet in real life, there are some steps that you need to take if you ever lose your phone with your digital wallet. The first would be to change your Google account password.
All of these vulnerabilities get taken care of if a user simply changes their Google account password the moment they realize that their phone has somehow been compromised. Without access to your Google account, nobody can make any sort of unauthorized purchases using your phone. A second security defense would be for you to use some sort lock-screen. By simply having a pin number, password, or some other form of screen-lock security enabled, nobody can get access to your phone to the point where they can clear an app’s data.
Despite this being a negligible thing, in my opinion, it’s nice to see that Google is listening to the concerns and are working on a resolution to these problems. Hopefully they will figure out something soon.
Source: Google Commerce Blog