Flaw lets crooks rob Google Wallets

By on
Flaw lets crooks rob Google Wallets

Google kills Android app "as a precaution".

Google has temporarily disabled the creation of prepaid payment cards while it investigates two security flaws made public last week that allow access to users' Google Wallet accounts on Android phones.

"We took this step as a precaution until we issue a permanent fix soon," Google Wallet and Payments vice president Osama Bedier said in a statement.

The Google Wallet mobile payment system allows US users to store credit and gift cards on mobile handsets, and uses near field communication to transact with PayPass-enabled terminals.

But a vulnerability in the design of the application on Android phones allows Google Wallet accounts to be recovered. 

Account data could be recovered by deleting saved data from a phone's settings and relaunching the Wallet application. This puts Google Wallet through the setup process and allows a new PIN  to be created to access funds stored on the device.

“Just like with any other credit card, you can get support when you need it,” Bedier wrote in his post. “We provide toll-free assistance in case you lose your phone or someone manages to make an unauthorised transaction.”

Because the Google Wallet account is linked to the device and not a Google account, the thief need not know the owner's login information. Resetting the password would allow them to log into Google Wallet and create a new, prepaid card using funds stored in the account on that phone.

Zvelo research engineer Joshua Rubin demonstrated how a “Wallet cracker” app can quickly identify the PIN on the device.

However, a Google spokesman said that the approach Rubin used is unlikely to work for the vast majority of Android phones.

Rubin required root access in order to run the cracker application, the spokesman told SCMagazine.com.

Since he was working on his own phone, he could have accessed the root without damaging the data.

If, however, he tried to gain root access on someone else's phone without having the right code to do so, the attempt would have deleted all data on the phone automatically before he got access to the PIN. Officially, the spokesman said, Google does not support Wallet on a rooted device.

Google hopes to have a fix for the initial problem related to non-rooted devices later this week. The fix for the rooted devices might take longer, the Google spokesman said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?