Google has updated its blog post about the Google Wallet prepaid card security hole, letting us know that it has re-activated provisioning and also put out a fix for the original problem. Last week it was discovered that Google Wallet had a serious security issue that affected all users, in which anybody could clear the app data from Google Wallet, re-open it, and gain access to the prepaid card. In response, Google shut down provisioning for the prepaid cards altogether — until now, that is. Here is Google's updated statement:
Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet. In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers. If you are unable to access your previous prepaid card balance for any reason, please contact our toll-free support for assistance.
We re-tested the original method for gaining access to the prepaid card, clearing our app data and relaunching Google Wallet. This time around, on attempting to re-provision a card, we were simply met with a error message that "Prepaid is unavailable" and offering two options: "Try Again" and "Remove Card." We're not entirely sure that is an ideal fix, but chances are that if you are dealing with a problematic card, Google would like you to call in for assistance just as you would if you lost an actual credit card.
While Google may have resolved this problem, the earlier issue that had only worked on rooted devices has come back to haunt the company. The same firm that originally cracked Google's PIN for Wallet, zvelo, has confirmed that it is possible to achieve root permissions on an Android device without actually clearing its data. Typically, when rooting a device, all data on it gets erased, eliminating most Wallet concerns. With zvelo's new method for achieving root-level permissions, the original cracking attack on Google Wallet could be applied to non-rooted users.
While it's easy to get wrapped up in the security story with Google Wallet, the bottom line is this: if you're using your phone as a credit card, you should treat it like a credit card. If you lose a credit card, you call your bank — and if you lose a phone with an active Google Wallet account, you should do the same.
Update: Zvelo contacted us with a note that physical access to the device is not required to gain access to Google Wallet data: a malicious app could initiate a brute-force attack to guess your Google Wallet PIN code, obtain root-level device access (even on a handset that hasn't been tampered with by the user), and then transmit the data back to a remote server.