Anything that only requires a physical tap to take money away from you always sounds ripe for exploitation. It sure may be convenient, but with the Google Wallet’s PIN system cracked twice in the past two days, compromised by both rooted and unrooted Android phones, safety is going to have to come before convenience.
The first attack came when security firm zvelo discovered that a rooted Galaxy Nexus stores PINs on the device rather than the secure NFC chip, thus making the phone vulnerable to brute-force attacks. If the phone falls into the wrong hands, your PIN and whatever other passwords saved in the device can easily be identified if a hacker uses a computer method that runs through all the possible permutations of password combination until the correct one is found. That’s the risk you take when you root your phone, right?
Not quite. A second security breach was discovered a day later, finding that unrooted phones were also in danger. This time, the method is foolproof: All the user has to do to enable Google Wallet is reset the data under the app settings, which will prompt them to enter a new PIN without asking for the old PIN. After wiping the old data, this new bypass allows the user to link the account to a Google Prepaid Card, which then provides access to all previously available funds. Now, the phone is as good as a cashier not asking to see your ID when you pay with credit card. Even if the user changes their PIN again, a hacker can still reset everything as if it’s PINs on demand.
In a public statement, a Google spokesperson acknowledged the security issue, notifying concerned users to call the Google Wallet support line for help.
“We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card,” the company spokesperson said. “We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”
The safest way for Google to save your PIN is to secure it via the NFC chip, which requires action from your banks. While the two parties sort our new terms of service, don’t panic, there are several things you can do to keep your phone safe in the mean time. To prevent your device from getting brute forced, disable the USB debugging option in settings and enable Full Disk Encryption. If your phone allows this function, limit the number of login attempts, as it should take more than five or so tries before a hacker uncovers your passcode. You should also install a phone-tracking system if you ever misplace it, and make sure your password is a combination of letters, numbers and symbols to increase the guessing difficulty. Of course, none of these steps guarantees your safety more than not losing your phone in the first place, so even if Google Wallet comes out with a new security system, you should always take these precautions to ensure your privacy is for your eyes only.