, Google’s nifty mobile technology that turns your smartphone into a digital wallet, oozes convenience, but there was always something about it that screamed “security nightmare!” As it turns out, the privacy buffs had every right to be concerned because the service showed just how vulnerable it can be when it was hacked not once but on two separate occasions.
The first flaw was detected by Zvelo, makers of all kinds of software, including Wallet Cracker, the program that set off the security alarm. By using a common hacking technique known as Brute Force, Wallet Cracker was able to access the PIN number designed to keep the user’s personal security code from prying eyes. This is obviously a huge problem, but luckily, the vulnerability only hindered rooted phones, with "rooted" referring to the Android device equivalent to a jailbroken iPhone, or unlocked Windows Mobile phone.
After discovering the security issue, Zvelo reported the problem to Google, who in turn said that it would work quickly to straighten things out. Unfortunately, the Google Wallet security woes had only just begun. A mere day after Zvelo found the vulnerability in rooted phones, another security hole was discovered by technology blog publisher The Smartphone Champ. This particular flaw exposed pin numbers as well, but on non-rooted Android devices. The second vulnerability was considered far more serious than the first because it was significantly easier to exploit.
With the vulnerability Zvelo pointed out, an attacker would have to use to use a Brute Force tool like Wallet Cracker to decrypt encrypted files, which would then provide them with access to the user’s pin number. The flaw detected by The Smartphone Champ simply called for the attacker to clear data in the application settings, essentially forcing Google Wallet to reset and request a new PIN from the user. From there, all the attacker would have to do is connect a compatible prepaid card and gain access to whatever funds that were previously available.
Google announced that the security issues have been addressed and all is once again well in the world of Google Wallet. And even though both hacks require the user’s mobile phone to fall into the wrong hands in order for their PIN to be accessed, there are still some extra precautions that can be taken to keep yourself protected.
Avoid rooting your Android device. Sure, there are a few advantages to be had by rooting your phone, but there are also some major cons (making a crook’s work much easier being one of them).
Keep your screen locked. Combined with assigning your own personal password, simply keeping your screen locked can add an extra layer of protection for any data connected to Google Wallet.
Use full disk encryption. If your device has full disk encryption, you definitely want to put it to use. Android does not support this function natively, but is compatible with applications that do.
Keep your device updated. Another simple but effective way to protect yourself while using Google Wallet is to make sure your device is kept fresh with the latest software updates. Security threats become more advanced by the day, so any lack in the update department is a surefire way to leave yourself open to an attack.
With Google Wallet proven not to be as secure as its creators once thought, the long-term viability of the recently introduced payment service is now in question. Mobile payments definitely appear to be the future, but whether Google is leading the way remains to be seen. This time, the internet giant’s service was compromised by friendly researchers. If there is a next time, it could be an attack orchestrated by hackers with ill intentions.