Blogger exposes major Google Wallet security flaw

If you took one look at Google Wallet and said to yourself, "There's no way that's completely secure," it turns out you were right.

The Smartphone Champ blog Thursday publicized a major security flaw within Google Wallet that can give hackers access to your Google Prepaid Card through the simple act of resetting your PIN. The blog discovered the flaw when it noticed that the Google Wallet Prepaid Card is not connected to a user's Google account, but rather, to the user's device.

GOOGLE REED-ER: More Google Wallet follies

ANALYSIS: Google Wallet -- 5 things you need to know

So let's say a hacker steals your phone and clears the data on your Google Wallet application. When the hacker then logs back into the application they'll be prompted to enter a new PIN and assign a Google account to the application. But instead of having to enter their own Google Prepaid Card onto the device, they'll have access to the card that the phone's original user had already placed on the phone.

"Google Prepaid account is not tied to your Google account, it's actually tied to your device, which is why if you change devices you actually have to call Money Network to have your balance moved over to the new device," noted Smartphone Champ blogger Hashim in his video demonstrating the flaw. "I don't know why Google set it this way but that's a pretty big security hole."

Google says that it is aware of the flaw and is currently working on "an automated fix that will be available soon." In an email to the Android and Me blog, the company also wrote that it recommended that "anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card."

Google Wallet, announced in spring 2011, utilizes near-field communications technology to send very short-range signals to nearby NFC tags to complete payments -- or as Google tells it, you'll only have to tap your smartphone on a store's credit card processor and you're good to go. Google debuted the application on the Sprint network with the Nexus S 4G device and the company has said that the app should come to other Android-based devices on other wireless networks in the near future.

NFC payments have become a hot feature on smartphones ever since Google first enabled NFC technology on its Android operating system with the Android 2.3 ("Gingerbread") update last year. Online payment company PayPal has also developed an NFC-based mobile payment application that runs on the Google Nexus S smartphone.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleNFCPayPalSprint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Reed

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place