Google Wallet flaw takes the lock off your mobile money (updated)

Updated with comment from Google at 5:14pm PT.

A new vulnerability in Google Wallet gives thieves access to your funds, even if the application data has been erased.

Google Wallet lets you digitize your credit cards and pay for things using near-field communication (NFC). That is, all you have to do is touch your phone to an NFC device and the item you’re buying is automatically charged to your account. Google has touted that its wallet isn’t like the leather ones—it actually has a lock on it. This lock exists in the form of a PIN number that must be entered for access to the wallet. But a hack yesterday exposed an application that, when used on a rooted phone, can guess the PIN number used for Google Wallet.

Unfortunately, another vulnerability exposed an even easier way for criminals to get into your Google Wallet. The virtual wallet is set up to take three different kinds of payment, a Citi Mastercard, a gift card, or Google’s prepaid card. The last option allows you to set up any credit or debit card to allocate funds to the prepaid card. This prepaid card isn’t associated with a Google account, but rather, it’s associated with the phone itself. If someone has stolen your phone and gotten inside, all they have to do is go to your applications preferences and erase all of the data from Google Wallet. You would think this would erase your credit cards as well, but it doesn’t.

The thief will go through the motions of setting up the account, including setting a new PIN number. After accessing the wallet with the new PIN, the thief will be prompted to add a new card. He can choose to upload a prepaid card, and because the card is tethered to your phone, all the information will repopulate, including your remaining balance (see video below for a demonstration).

We asked Google about the vulnerability, and the company emailed saying, “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

The reality of this, however, is that while your phone being stolen also means your money is stolen, you’d be facing the same scenario if your actual wallet was stolen. Google does tout the wallet as being safer than a regular wallet, but where there’s money, there’s risk.

via 9to5 Google