Report: Google Wallet's PIN fails to fully protect - Update
According to a report on The Smartphone Champ blog, the PIN authentication in Google's Wallet mobile payment system can be bypassed using a simple trick. The flaw was actually identified last year on the XDA developer forums.
At the core of Google Wallet is an Android app that, like a credit card, allows users to make payments for products and services using near field communication (NFC) technology. The service is currently only available in the US. The hardware in the phone is also associated with a pre-paid debit card by Google Wallet to allow it to hold "cash".
After starting the app – as an added security measure should a phone fall into the wrong hands – users who have access to an unlocked phone are typically required to enter a 4-digit PIN before they can access the Google Wallet account and make payments. However, the flaw allows this protection mechanism to be bypassed by resetting the app from the phone's settings application.
To do this, in the phone's Settings application, navigate to Apps, then to Wallet and select "Clear Data" to clear any data that the app has created. When the Wallet app is restarted it will prompt for a new PIN. Although disconnected from the the owner's Google Wallet account, going to add a pre-paid card automatically adds the virtual pre-paid card on the phone and allows the funds, if any, that were on that pre-paid card to be spent using the new PIN.
Google is aware of the problem, confirming the problem to US tech site The Verge. Google recommends that anyone who loses their phone – or sells or gives away their phone – should call Google Wallet's US support line (toll-free 855-492-5538) and ask for the prepaid card associated with the phone to be disabled. Google are working on an "automated fix" and in the meantime recommend that users protect themselves by enabling "screen lock" for the device.
Recently, another security researcher discovered that the Wallet's PIN can be extracted from smartphones that have been "rooted" to remove security restrictions and allow unsigned code to be executed. Google responded by discouraging users from installing Google Wallet on rooted devices. The company says that "To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN".
Update - Google have now "temporarily disabled" the provisioning of pre-paid cards while they prepare a permanent fix for the problem.
- Forensic specialists analyse Google Wallet, a report from The H.