Pair of Exploits Question Google Wallet’s Security

By Stephen Schenck | February 9, 2012 11:50 PM

One of the components of Google Wallet’s mobile payment system is the secure element of the phone’s NFC transceiver, which stores account details supposedly out of malware’s reach. This also affords the opportunity for adding a security layer to mobile payments by requiring the entry of a user-defined PIN before the secure element will release your payment info. At least, that’s the way things are supposed to work, but a couple recent discoveries are raising questions about just how secure this implementation is, after all.

The first attack on Google Wallet demonstrates the ability to retrieve the PIN needed to authenticate transactions when you have root access to the phone. After analyzing Google Wallet code, a team of security researchers discovered that a locally-stored hash could be used to brute force the PIN without detection; after all, it doesn’t take long for a modern processor to try all 10,000 four-digit combinations.

Google’s aware of that vulnerability, but it’s not clear if a fix is forthcoming. Google knows how to correct the problem, but like so much of the nonsense surrounding NFC deployment, the companies involved are getting into a power struggle; there’s concern that doing all PIN authentication on-board the NFC secure element, which would fix this problem, would create new legal issues over just which company would now be liable for secure PIN storage. For the moment, Google’s simply warning concerned users not to root their phones.

Following Google’s response, another supposed vulnerability emerged, and this time one that doesn’t require root access. The idea is that you can take a phone with Google Wallet installed, clear the app’s data under application settings, and go upon setting it up again. You’ll be prompted to set your own PIN, but when you go to add a payment option to your account, the phone should still remember a Google prepaid card that was already used with Google Wallet. You’re then apparently able to conduct transactions, using your new PIN, but with your purchases tied to the old prepaid card. Google’s advice regarding this exploit is to call-in and cancel your prepaid card if you lose your phone.

Source: Zvelo, Android Guys, The Smartphone Champ

Via: Android and Me

This post has been tagged with:
Related to this post
Google Abandons Plans for Google Wallet Card?
Google Support Site Confirms Google Wallet Card, Offers ...
Google Wallet Starts Accepting Prepaid Card Refund Requests
Google Phasing-Out Wallet Prepaid Card; How To Keep Your Money
Google Wallet Gets Some Big Changes; What’s Being Impacted?
Virgin Mobile Throws In $25 To Your Google Wallet If You Get the ...
Popular Posts
HTC Addresses “One Google Edition” Rumors
How Hangouts Will Change the Way I Communicate
Nokia Ditches Metal-vs-Plastic Battle, Does Both On Same Phone
Pocketnow Live, Ep. 16: Nokia and Google I/O Reactions
Our Shows
Latest Video
Galaxy S 4 Record Sales, HTC One Production Increase, Nokia EOS Spotted & More - Pocketnow Daily
Up Next
Nokia Lumia 925 vs Samsung Galaxy S 4 vs HTC One
Popular Videos
Nokia Lumia 925 Hands On
Nokia Lumia 925 Silver vs Black
Mobile Version