One of the components of Google Wallet’s mobile payment system is the secure element of the phone’s NFC transceiver, which stores account details supposedly out of malware’s reach. This also affords the opportunity for adding a security layer to mobile payments by requiring the entry of a user-defined PIN before the secure element will release your payment info. At least, that’s the way things are supposed to work, but a couple recent discoveries are raising questions about just how secure this implementation is, after all.
The first attack on Google Wallet demonstrates the ability to retrieve the PIN needed to authenticate transactions when you have root access to the phone. After analyzing Google Wallet code, a team of security researchers discovered that a locally-stored hash could be used to brute force the PIN without detection; after all, it doesn’t take long for a modern processor to try all 10,000 four-digit combinations.
Google’s aware of that vulnerability, but it’s not clear if a fix is forthcoming. Google knows how to correct the problem, but like so much of the nonsense surrounding NFC deployment, the companies involved are getting into a power struggle; there’s concern that doing all PIN authentication on-board the NFC secure element, which would fix this problem, would create new legal issues over just which company would now be liable for secure PIN storage. For the moment, Google’s simply warning concerned users not to root their phones.
Following Google’s response, another supposed vulnerability emerged, and this time one that doesn’t require root access. The idea is that you can take a phone with Google Wallet installed, clear the app’s data under application settings, and go upon setting it up again. You’ll be prompted to set your own PIN, but when you go to add a payment option to your account, the phone should still remember a Google prepaid card that was already used with Google Wallet. You’re then apparently able to conduct transactions, using your new PIN, but with your purchases tied to the old prepaid card. Google’s advice regarding this exploit is to call-in and cancel your prepaid card if you lose your phone.