Poor Google Wallet, hacked twice in 48 hours. Bad enough that Google has had difficulty getting the payment service approved by Verizon for its flagship Galaxy Nexus. Now, just as people are figuring out simple ways to get Wallet on their phones, a new scandal rocks the nascent world of Android mobile payments. Wednesday evening, a flaw was revealed that would let a thief gain the pin-code securing the Wallet app. With access to the pin, the thief would can use any credit card associated with the device. The hack relies on the vulnerability of short passwords, like a four-digit numerical pin, to brute-force attacks. At first glance, this seemed like a catastrophic blow to the Google payment service.
[yframe url=’http://www.youtube.com/watch?v=P655GXnE_ic’]
Fortunately, the hack only works on rooted devices. When a user roots their Android device, they remove a layer of security, reveling parts of the device’s software not meant to be user accessible. This is yet another example of why you should never root your phone or tablet unless you understand what the repercussions are. You’re trading security for the extra features you can get on a rooted device.
In the end, this vulnerability is extremely minor. Most users aren’t rooted. Rooting the Galaxy Nexus or Nexus S (the only devices compatible with Google Wallet to date) involves unlocking the bootloader, which wipes the device and removes your Wallet account, so a thief can’t do it themselves after they get your phone and still get into your Wallet. Careful users will also take advantage of Android’s built-in security features, which provide users with four different ways to lock the device to unauthorized users, keeping thieves well away from even trying to access Google Wallet in the first place. Most importantly of all, if all else fails, the thief needs physical access to your phone to use the credit cards associated with Wallet. You know, the same way they could if they stole your actual wallet and credit cards. We don’t cut up our credit cards out of fear that someone might steal our wallets; we just report the card stolen if it goes missing.
The second vulnerability, made public Thursday, is a bit more worrisome. It doesn’t require a rooted device to work, which means far more users are potentially vulnerable. All you need to do is clear the Wallet app data in the device’s settings menu. Wallet will act like a fresh install, letting you set a brand new pin. Because your Google prepaid debit card is linked not to your account but to your physical device, a thief would be able to grant themselves access to whatever amount you’ve already stored on that card.
[yframe url=’http://www.youtube.com/watch?v=Rh1ytHrhj2E&’]
Once again though, this does not represent a major flaw. Locking your device with a pin, password, pattern, or even face unlock secures your Wallet better than any credit card, and the thief needs physical access to the phone to make the attempt. Worst case scenario, the most you can lose here is whatever you put on the pre-paid card, so if you’re concerned, don’t keep a large balance on it.
Google has already started on working out fixes for both of these issues. The solutions may fundamentally change how wallet works under the hood, but shouldn’t alter user experience all that much. In the meantime, I’m keeping Wallet installed on my rooted Galaxy Nexus. If someone does steal my phone, I’ll be a lot more worried about buying a new phone than about the $10 Google gave me for installing Wallet in the first place.
Comments are closed.