After the news yesterday that it is possible to crack the PIN on the Google Wallet software on rooted Android devices, a second security flaw has been uncovered that affects all users. The "attack" works thusly: if somebody takes your phone, he or she can go into the app settings for Google Wallet and tap "Clear data." This will erase all of the Google Wallet data stored on the phone. When that person then opens Google Wallet, it offers its initial setup process again, including setting up a new PIN and tying Google Wallet to a Google account. That's when the real issue arises, as that person can re-add the default Google Wallet pre-paid card to the app — and since Google Wallet is tied specifically to the hardware instead of to an account, it re-adds the same pre-paid card that was present before. In other words, any funds you have added to the the pre-paid card will be available to the thief. That person will have set up a new PIN as well, so he or she would be free to use it to make payments. This method was uncovered by The Smartphone Champ and we just independently verified that it works, successfully re-adding the same pre-paid card to a reset Google Wallet app, funds and all.
We reached out to Google for a statement and a spokesman for the company verified the security hole, but also said Google is working on a fix:
We strongly encourage anyone who loses or wants to sell or give away their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.
We have to agree — if you're a Google Wallet user, you should be setting a lockscreen password or pattern on your phone and if you lose it, call in to the number above. At the end of the day, no payment solution can ever be entirely secure — losing a credit card presents the same sorts of issues. That said, it's a black mark for Google that its Wallet app can so easily be exploited and hopefully the promised "automated fix" will be released soon.