Google users warned of threat to smartphone wallets

Feb 10, 2012
Users of Google smartphone wallets were being warned on Friday that there is a way to crack pass codes intended to thwart thieves from going on illicit shopping sprees.

Users of Google smartphone wallets were being warned on Friday that there is a way to crack pass codes intended to thwart thieves from going on illicit shopping sprees.

Zvelo Labs researcher Joshua Rubin was featured in a video at the company's website demonstrating software that quickly figures out a Google (PIN), provided the crook has the .

Rubin said that Google has been alerted to the vulnerability and is moving swiftly to fix it. He has not made his wallet "Cracker" application public.

This video is not supported by your browser at this time.

"Google Wallet allows only five invalid PIN entry attempts before locking the user out," Rubin said in a blog post.

"With this attack, the PIN can be revealed without even a single invalid attempt," he continued. "This completely negates all of the security of this mobile phone payment system."

Google declined an AFP request for comment.

"Once attackers get your PIN, they have full access to any stored in the app and they can use your phone to make purchases," McAfee researcher Jimmy Shah said in a blog post.

"As a user of Google Wallet, the main security you see is the PIN," McAfee added.

"What makes Wallet easy for you to use now makes it easy for attackers to use; they can now spend your money and credit just as if your phone were an ATM card."

Rubin dismissed the threat of hackers picking Google Wallets remotely, explaining that physical access is needed to get priority access to controls in a process called "rooting."

Security specialists advise Google Wallet users not to "root" smartphones, and to enable such as full-disk encryption and screen locks.

Google Wallet is available only on Nexus S and Galaxy Nexus smartphones. Google said it planned to expand the feature to more Android phones.

Google Wallet uses a near field communication (NFC) chip embedded in a phone to allow a user to "tap-and-pay" for purchases at a checkout register equipped with the PayPass system from CitiMasterCard.

Customers can also use a Google Prepaid card to pay for purchases, topping up the Google card with any payment card, and take advantage of Google Offers, the Mountain View, California-based company's online discount coupon program.

In addition to allowing for mobile payments, Wallet allows consumers to pay using gift cards and to redeem promotions such as discounts or coupons.

Explore further: Turkey still hopes Twitter will open local office

add to favorites email to friend print save as pdf

Related Stories

PayPal letting Google phones swap cash

Jul 13, 2011

Online financial transactions giant PayPal on Wednesday showed off a mini-program that lets people exchange money by touching together a pair of Google smartphones.

Recommended for you

Net neutrality balancing act

17 hours ago

Researchers in Italy, writing in the International Journal of Technology, Policy and Management have demonstrated that net neutrality benefits content creator and consumers without compromising provider innovation nor pr ...

Twitter rules out Turkey office amid tax row

Apr 16, 2014

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

Apr 16, 2014

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

chromosome2
not rated yet Feb 12, 2012
The only phones that have Google Wallet have operating systems that the carriers haven't had an opportunity to screw up, so, I don't see why one would root them. I rooted my HTC Incredible because my first phone was the Droid and I couldn't stand sense, and gosh darnit, if I'm going to buy a $700 pocket computer, it's going to do what *I* want it to do. The Nexus phones already do that.

More news stories

Hackathon team's GoogolPlex gives Siri extra powers

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Better thermal-imaging lens from waste sulfur

Sulfur left over from refining fossil fuels can be transformed into cheap, lightweight, plastic lenses for infrared devices, including night-vision goggles, a University of Arizona-led international team ...

Chronic inflammation linked to 'high-grade' prostate cancer

Men who show signs of chronic inflammation in non-cancerous prostate tissue may have nearly twice the risk of actually having prostate cancer than those with no inflammation, according to results of a new study led by researchers ...