Pair of Exploits Question Google Wallet’s Security

One of the components of Google Wallet’s mobile payment system is the secure element of the phone’s NFC transceiver, which stores account details supposedly out of malware’s reach. This also affords the opportunity for adding a security layer to mobile payments by requiring the entry of a user-defined PIN before the secure element will release your payment info. At least, that’s the way things are supposed to work, but a couple recent discoveries are raising questions about just how secure this implementation is, after all.

The first attack on Google Wallet demonstrates the ability to retrieve the PIN needed to authenticate transactions when you have root access to the phone. After analyzing Google Wallet code, a team of security researchers discovered that a locally-stored hash could be used to brute force the PIN without detection; after all, it doesn’t take long for a modern processor to try all 10,000 four-digit combinations.

Google’s aware of that vulnerability, but it’s not clear if a fix is forthcoming. Google knows how to correct the problem, but like so much of the nonsense surrounding NFC deployment, the companies involved are getting into a power struggle; there’s concern that doing all PIN authentication on-board the NFC secure element, which would fix this problem, would create new legal issues over just which company would now be liable for secure PIN storage. For the moment, Google’s simply warning concerned users not to root their phones.

Following Google’s response, another supposed vulnerability emerged, and this time one that doesn’t require root access. The idea is that you can take a phone with Google Wallet installed, clear the app’s data under application settings, and go upon setting it up again. You’ll be prompted to set your own PIN, but when you go to add a payment option to your account, the phone should still remember a Google prepaid card that was already used with Google Wallet. You’re then apparently able to conduct transactions, using your new PIN, but with your purchases tied to the old prepaid card. Google’s advice regarding this exploit is to call-in and cancel your prepaid card if you lose your phone.

Source: Zvelo, Android Guys, The Smartphone Champ

Via: Android and Me

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!