Google Wallet PIN Hack Still Works, But …

by Mercator Advisory Group 0

The same white-hat hacker who broke the PIN handling of Google Wallet 1.0 has discovered that the same, or a very similar, hack works against the new and improved, cloud-oriented Google Wallet 2.0. This issue only occurs on rooted Android handsets, so it is easy to have some sympathy with Google’s stance that it cannot secure Wallet on a phone whose security has been compromised. But the issue does persist and it is possible for a phone to fall into someone else’s hands who, themselves, will root the device and be able to compromise the PIN code.

As with all electronic payment methods, the security of Google Wallet is still a work in progress. Google has much bigger challenges for Wallet. It needs Verizon Wireless, AT&T Mobility, and T-Mobile (the Isis triumvirate) to allow Google Wallet access to the secure element on the devices it controls. And that’s not likely for the time being.

While the PIN hack is a concern, it is not a fatal flaw by any means. Indeed, between its launch and the new version, Google Wallet has changed its card handling model in a way that may enhance security. If nothing else, this is not a security issue to get excited about. Just don’t root your phone.

From Security Watch:

“This new update changes Google Wallet from a way to store and pay directly with your payment cards to a NFC Google Checkout service,” wrote Intrepidus senior consultant Max Sobell in a blog post.

But with less data stored locally, the threat landscape is shrunk.

“I would say that one-off fraud is much safer because all payments now go through Google’s ‘virtual’ card, and then are passed off to your credit card within Google’s environment,” Intrepidus senior consultant Max Sobell told Security Watch. “In previous Wallet builds, your credit card details were going through the NFC interface unencrypted to the Point of Sale terminal.”

Click here to read more from Security Watch.