Two security holes have been found in the NFC-based mobile payment app Google Wallet. Both rooted and stock devices are vulnerable to the flaws, though Google assures users that so long as you keep a secure screen lock on your device you won't be at risk. Check here as the updates roll in regarding Google Wallet's security concerns.
If you opened up Google Wallet today, you may have noticed there's an extra $5 sitting on your pre-paid card. It turns out it's not a glitch, it's compensation from Google Wallet in exchange to the provisioning hassles the service has been experiencing this year
Google has changed Google Wallet to allow users to set up their existing pre-paid cards directly on the phone without calling into Google.
According to Droid Life, users on rooted phones are now presented with a warning that their device is not a supported Google Wallet device, though the app will still function perfectly fine. Unfortunately, it's not a proper fix — the hole that allowed hackers to crack the security PIN that protects Wallet is still alive and well.
Google has updated its blog post about the Google Wallet prepaid card security hole, letting us know that it's re-activated provisioning and also put out a fix for the original problem
Following discoveries that both rooted and stock Android phones are vulnerable to attack, vice president of Google Wallet and payments Osama Bedier posted a letter defending the service and reassuring customers that it is still safer than traditional payment methods.
The Google Wallet can trivially be tricked into providing access to the default Pre-Paid card attached to every account. Google is working on a fix, but in the meantime all users should set a lockscreen password.
The security of the PIN that protects Google Wallet transactions has been compromised — though most users won't need to worry about the issue for now, as it only applies to users who have rooted their Android smartphone. The key issue is that the PIN is stored on the device itself instead of in the secure NFC element, although it is in an encrypted format