Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Works to Fix Security Concerns Surrounding Google Wallet

Over the weekend, Google addressed two separate security issues within Google Wallet, one which takes some skill and knowledge to exploit, and one that anyone searching the lost and found box can exploit – assuming they are aware of it.

Over the weekend, Google addressed two separate security issues within Google Wallet, one which takes some skill and knowledge to exploit, and one that anyone searching the lost and found box can exploit – assuming they are aware of it.

Google Wallet Security VulnerabilityThe first issue, discovered by researchers at the security firm zvelo, allowed them to discover the Google Wallet PIN, after brute forcing the application’s SQLite database. In order for this trick to work, the device must first be rooted, and after that, the cracking application must have the UID matched to the UID of Google Wallet or 0, something that zvelo did not mention in their report.

“zvelo feels that the fact that this attack requires root permissions does not in the least bit diminish the risk it imposes on users of Google Wallet. Our reasoning is simple: Presently, the PIN is easily revealed, but with the proper fix in place, the PIN will be nearly impossible to crack. It is as simple as that,” the company said in their initial report.

When asked about the vulnerability, Google pointed out something many of those who take pride in their rooting skills noticed immediately, namely that in order for it to work, the device had to have been rooted, and its security stripped. “The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device,” a Google spokesperson told SecurityWeek via email.

In addition, the spokesperson noted that to date, there are no known methods available to take a consumer phone and gain root access, while preserving any Wallet information – including the PIN.

“We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.”

The second vulnerability concern deals with unauthorized access to a device. Anyone who does not lock their screen, and happens to have their Google Wallet-enabled smartphone fall into someone else’s hands, could not only lose the hardware itself, but all of the money associated with the Wallet account.

This is because the Google Wallet information, such as balance, is linked to the device itself, and not a person’s Google account. In order for it to work, all an unauthorized user needs to do is reset the Wallet settings in the application’s menu. Once that is done, they’ll be prompted to enter a new PIN, which would enable them to access the funds associated with the device itself.

Google is aware of the issue and working to fix it. In the meantime, in addition to not rooting the device itself, the use of screen locks is a highly – they are willing to beg here – encouraged act.

Advertisement. Scroll to continue reading.

“…to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock…we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon,” said Osama Bedier, the VP of Google Wallet and Payments.

Moreover, if you are a Wallet customer, and you happen to have your device stolen or you lose it, you can protect yourself by reporting this fact to Google Wallet Support at 855-492-5538.

Related: Unencrypted Data Weakens Google Wallet (For Now)

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.