Google Wallet flaw allows digital pickpocket
A new and troubling vulnerability in Google Wallet has been exposed. Unlike a low-risk security issue identified yesterday, today's security flaw is described as painfully easy.
Sarah Jacobsson Purewal | Monday, February 13 2012 | 1 CommentA new and troubling vulnerability in Google Wallet has been exposed. Unlike a low-risk security issue identified yesterday, today's security flaw is described as painfully easy.
Security firm Zvelo yesterday discovered a vulnerability in Google Wallet, Google's NFC payment system, that allows anyone holding an already-rooted smartphone running Google Wallet to access the Google Wallet PIN.
Such a vulnerability allows a hacker to use a Google Wallet-enabled smartphone to maker purchases using the credit card information tied to the NFC chip. However, Google points out that this is a low-risk situation, because it only works if the smartphone has already been rooted (by the owner), and credit card information, while useable, is still secure.
Easy Exploit
Today's more serious glitch is described by smartphone blog The Smartphone Champ,which describes a security flaw in Google Wallet that is "painfully easy to do," requires no extra software (unlike the Zvelo flaw), and does not require a rooted device.
Basically, the problem stems from the fact that credit card data is tied to the device, not a person's Google account. So anyone holding a Google Wallet-enabled phone can change the Google Wallet PIN by going into the application settings menu and clearing the data for the Google Wallet app. Once this is done, the Google Wallet app will prompt the user/hacker for a new PIN.
Because the card data is tied to the device, when the user/hacker adds the Google prepaid card to the Google Wallet app after resetting the data, the old card data will be added to the app. So the user/hacker will now be able to access the card's funds -- although it should be noted that the credit card data will still be secure (but does it really matter if it's secure when someone else can access your funds?).
This vulnerability is a much bigger deal than the Zvelo one, because it's easy to perform (the Zvelo vulnerability required a modicum of hacking knowledge to crack), and it can be performed on any device - rooted or not.
Google's Advice
Google has noted the security flaw and tells PCWorld it's currently working on an automated fix that will be available soon. Meanwhile, Google recommends that all Google Wallet users set up a lock screen as an additional layer of protection for their phone.
Tablets tested: Can anything knock the iPad off it's number one spot? We round up 13 tablets.
Smart storage:
We test five NAS boxes.
Web Browsers:
Latest versions speedtested.
Hot Products || PC World editors iPhone 4S launch pics and unboxing
The iPhone 4S launched at midnight through both Vodafone and Telecom. ... READ MORE
Tux Love || Geoff Palmer Linux Mint: From scratch - Part III
Now you've tried Mint, you'll want to install it properly. If you're ... READ MORE
Tech Guy || Juha Saarinen Pumping ultrafast packets
Why thirteen is lucky for broadband speed tweaking Net nostalgia: One of ... READ MORE
In a Nutshell || Zara Baxter Logging, not login
At an event in Singapore yesterday, Seamus Byrne, the editor of CNet ... READ MORE
Harley O'Gyver || Harley Ogier Braver than a barrel of codemonkeys
If you've ever wondered, "can a grown man really do that?", Harley O'Gyver ... READ MORE
The Arcade || PC World editors Are HD remakes really necessary?
Remember all those games you loved in the 90s and early 00s? Well, now ... READ MORE
Dumb Terminal Live! || PC World editors New Zealand memes: We think we're real funny
We New Zealanders love the internet, and we have a pretty good sense of ... READ MORE
Henry Bowen
referencement Google
Posted by Anonymous at 1:06:18 on February 15, 2012
Flag abuse