Skip to main content

Filed under:

Google Wallet security holes threaten both rooted and stock devices

Share this story

Two security holes have been found in the NFC-based mobile payment app Google Wallet. Both rooted and stock devices are vulnerable to the flaws, though Google assures users that so long as you keep a secure screen lock on your device you won't be at risk. Check here as the updates roll in regarding Google Wallet's security concerns.

  • Dieter Bohn

    Mar 21, 2012

    Dieter Bohn

    Current Google Wallet customers given $5 on pre-paid cards for all the provisioning hassles

    Google Wallet keys security
    Google Wallet keys security

    If you opened up Google Wallet today, you may have noticed there's an extra $5 sitting on your pre-paid card. It turns out it's not a glitch, it's compensation from Google Wallet in exchange to the provisioning hassles the service has been experiencing this year. In an email to all customers, the company writes:

    If you're not up on the entire Google Wallet saga, here's a quick re-cap. On February 9th, it was discovered that it was trivial to access Google Wallet prepaid accounts on a stolen phone by clearing the app's data and re-provisioning it. Google disabled creating new cards, then re-enabled that but let re-provisioning disabled, then re-enabled the whole thing by securing it with a Google Account password. If you've been living through this entire ordeal as a Google Wallet customer, five bucks seems like the least the company could do.

    Read Article >
  • Dieter Bohn

    Mar 9, 2012

    Dieter Bohn

    Google re-enables pre-paid card re-provisioning in Google Wallet, with password-based security

    Google Wallet keys security
    Google Wallet keys security

    Ever since initial reports about security holes in Google Wallet bloomed into a full-scale problem that gave potential thieves access to pre-paid cards, Google has been scrambling to patch up security holes and ensure users that its mobile payment solution is still more secure than your average credit card. The largest hole involved a simple process of clearing app data and re-initializing the app in order to gain access to a pre-existing pre-paid card. Google first locked down access to new or re-provisioned cards immediately. After a few days, the company opened up the creation of new pre-paid cards while requiring users to call into to Google to re-provision existing cards.

    Now three weeks have passed, and the company has gone a step further by allowing users to set up their existing pre-paid cards directly on the phone without calling into Google. In order to make it secure, the Google Wallet app now requires users to re-enter their Google account password on the first launch. We tested the change and, yes, you are made to re-enter your Google account password — but it's a bit of a hack as the dialog only says that "You entered the wrong password or your account has changed." Neither, technically, was the case, but the fact that this is the message we're seeing instead of something that actually describes what's going on (namely, that it's using this password to help verify your identity and protect your money) makes us wonder just how hacked-together this new solution is.

    Read Article >
  • Dante D'Orazio

    Mar 5, 2012

    Dante D'Orazio

    Google Wallet app now notifies rooted users that they're not supported

    Google Wallet root warning
    Google Wallet root warning

    It looks like Google is closing the book on the security concerns surrounding Google Wallet. The search giant released a software update a couple of weeks ago that patched the hole that made prepaid funds vulnerable to theft, and now the company has released its solution for those with rooted devices. According to Droid Life, users on rooted phones are now presented with a warning that their device is not supported by Google Wallet, though the app will still function perfectly fine. Unfortunately, it's not a proper fix — the vulnerability on rooted phones that allowed hackers to crack the security PIN that protects Wallet is alive and well. We still hope that the company will rewrite the program in the future to fix this problem, but for now, be sure to be extra careful (read: enable a screen lock) if you're using Google Wallet on a rooted device.

    Read Article >
  • Dieter Bohn

    Feb 15, 2012

    Dieter Bohn

    Google Wallet restores prepaid cards, patches re-provisioning security hole

    Google Wallet keys security
    Google Wallet keys security

    Google has updated its blog post about the Google Wallet prepaid card security hole, letting us know that it has re-activated provisioning and also put out a fix for the original problem. Last week it was discovered that Google Wallet had a serious security issue that affected all users, in which anybody could clear the app data from Google Wallet, re-open it, and gain access to the prepaid card. In response, Google shut down provisioning for the prepaid cards altogether — until now, that is. Here is Google's updated statement:

    We re-tested the original method for gaining access to the prepaid card, clearing our app data and relaunching Google Wallet. This time around, on attempting to re-provision a card, we were simply met with a error message that "Prepaid is unavailable" and offering two options: "Try Again" and "Remove Card." We're not entirely sure that is an ideal fix, but chances are that if you are dealing with a problematic card, Google would like you to call in for assistance just as you would if you lost an actual credit card.

    Read Article >
  • Dante D'Orazio

    Feb 11, 2012

    Dante D'Orazio

    Google Wallet reassures customers of safety, turns off prepaid card provisioning

    Google Wallet keys security
    Google Wallet keys security

    Following discoveries that both rooted and stock Android phones are vulnerable to attack, vice president of Google Wallet and payments Osama Bedier posted a letter today defending the service and reassuring customers that it is still safer than traditional payment methods. He cites that Google Wallet is protected by both an in-app PIN and a screen lock (if you have one set up), and in order to maintain security, he recommends that all Google Wallet users keep their phones unrooted, since it's not hard for a thief to access your Wallet PIN on a rooted phone. Additionally — to help keep stock devices safe following the latest finding that funds could be accessed by simply wiping the application's settings — the team has temporarily turned off provisioning of prepaid cards, preventing you from setting up a new card (old ones should still work just fine).

    In the statement the executive also reminds users that Google will help you out if you lose your phone — you can call them up (855-492-5538) and have the app disabled. In the meantime, be sure to turn a screen lock on your phone, will you?

    Read Article >
  • Dieter Bohn

    Feb 9, 2012

    Dieter Bohn

    Second Google Wallet security vulnerability confirmed, affects all users

    Google Wallet Lock 1024
    Google Wallet Lock 1024

    After the news yesterday that it is possible to crack the PIN on the Google Wallet software on rooted Android devices, a second security flaw has been uncovered that affects all users. The "attack" works thusly: if somebody takes your phone, he or she can go into the app settings for Google Wallet and tap "Clear data." This will erase all of the Google Wallet data stored on the phone. When that person then opens Google Wallet, it offers its initial setup process again, including setting up a new PIN and tying Google Wallet to a Google account. That's when the real issue arises, as that person can re-add the default Google Wallet pre-paid card to the app — and since Google Wallet is tied specifically to the hardware instead of to an account, it re-adds the same pre-paid card that was present before. In other words, any funds you have added to the the pre-paid card will be available to the thief. That person will have set up a new PIN as well, so he or she would be free to use it to make payments. This method was uncovered by The Smartphone Champ and we just independently verified that it works, successfully re-adding the same pre-paid card to a reset Google Wallet app, funds and all.

    We reached out to Google for a statement and a spokesman for the company verified the security hole, but also said Google is working on a fix:

    Read Article >
  • Dieter Bohn

    Feb 9, 2012

    Dieter Bohn

    Google Wallet PIN cracked on rooted Android devices

    Google Wallet Galaxy Nexus 1024
    Google Wallet Galaxy Nexus 1024

    The security of the PIN that protects Google Wallet transactions has been compromised — though most users won't need to worry about the issue for now, as it only applies to users who have rooted their Android smartphone. The key issue is that the PIN is stored on the device itself instead of in the secure NFC element, although it is in an encrypted format. That means that if your Android smartphone is rooted, if somebody takes your phone, he or she will be able to access the encrypted file that stores your PIN. From there, it's a relatively simple matter of running a program that uses a brute force method to guess your PIN.

    Protecting yourself against this issue is a fairly straightforward matter: either don't root your phone and if you do, be sure that you've set a lock screen code to lock your device from the start. Google is aware of the issue but will apparently have to fundamentally change how Wallet's security infrastructure is set up in order to resolve the issue, moving the responsibility for securing the PIN from Google to the banks that power Google Wallet. The security firm that discovered the hole, zvelo, says that the decision on the next step "is in the banks' hands," and offers a few additional ideas for securing your device until those banks make up their mind.

    Read Article >