Researcher Says Google Wallet Is Risky
A security researcher found a vulnerability in Google Wallet, Google's mobile payments platform which is currently available in some phones.
The vulnerability in the Google Wallet was identified by Joshua Rubin, a senior engineer with zvelo.
The researcher developed an app that he says can break the PIN required to launch the Google Wallet app. He posted a video on his blog demonstrating how it works.
Rubin said that he had disclosed his findings to Google and that the company "was able to confirm the issue and agreed to work quickly to resolve it."
Google said that the specific study was conducted on a phone with disabled the security mechanisms.
"Google Wallet is protected by a PIN - as well as the phone's lock screen, if a user sets that option. But sometimes users choose to disable important security mechanisms in order to gain system-level "root" access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That?s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device," said Osama Bedier, Vice President, Google Wallet and Payments.
"We also take concrete actions to help protect our users. For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon," he added.
The "hack" seems to be not very "dangerous" since the hacker would need the phone itself in order to be able to make payments using the stolen Google Wallet.
The researcher developed an app that he says can break the PIN required to launch the Google Wallet app. He posted a video on his blog demonstrating how it works.
Rubin said that he had disclosed his findings to Google and that the company "was able to confirm the issue and agreed to work quickly to resolve it."
Google said that the specific study was conducted on a phone with disabled the security mechanisms.
"Google Wallet is protected by a PIN - as well as the phone's lock screen, if a user sets that option. But sometimes users choose to disable important security mechanisms in order to gain system-level "root" access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That?s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device," said Osama Bedier, Vice President, Google Wallet and Payments.
"We also take concrete actions to help protect our users. For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon," he added.
The "hack" seems to be not very "dangerous" since the hacker would need the phone itself in order to be able to make payments using the stolen Google Wallet.