Blogger exposes major Google Wallet security flaw

  • Brad Reed (Network World)
  • — 11 February, 2012 03:23

If you took one look at Google Wallet and said to yourself, "There's no way that's completely secure," it turns out you were right.

The Smartphone Champ blog Thursday publicized a major security flaw within Google Wallet that can give hackers access to your Google Prepaid Card through the simple act of resetting your PIN. The blog discovered the flaw when it noticed that the Google Wallet Prepaid Card is not connected to a user's Google account, but rather, to the user's device.

GOOGLE REED-ER: More Google Wallet follies

ANALYSIS: Google Wallet -- 5 things you need to know

So let's say a hacker steals your phone and clears the data on your Google Wallet application. When the hacker then logs back into the application they'll be prompted to enter a new PIN and assign a Google account to the application. But instead of having to enter their own Google Prepaid Card onto the device, they'll have access to the card that the phone's original user had already placed on the phone.

"Google Prepaid account is not tied to your Google account, it's actually tied to your device, which is why if you change devices you actually have to call Money Network to have your balance moved over to the new device," noted Smartphone Champ blogger Hashim in his video demonstrating the flaw. "I don't know why Google set it this way but that's a pretty big security hole."

Google says that it is aware of the flaw and is currently working on "an automated fix that will be available soon." In an email to the Android and Me blog, the company also wrote that it recommended that "anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card."

Google Wallet, announced in spring 2011, utilizes near-field communications technology to send very short-range signals to nearby NFC tags to complete payments -- or as Google tells it, you'll only have to tap your smartphone on a store's credit card processor and you're good to go. Google debuted the application on the Sprint network with the Nexus S 4G device and the company has said that the app should come to other Android-based devices on other wireless networks in the near future.

NFC payments have become a hot feature on smartphones ever since Google first enabled NFC technology on its Android operating system with the Android 2.3 ("Gingerbread") update last year. Online payment company PayPal has also developed an NFC-based mobile payment application that runs on the Google Nexus S smartphone.

Read more about anti-malware in Network World's Anti-malware section.

Netcraft tool flags websites affected by Heartbleed

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot SecureAnywhere Business

The lightest, fastest, easiest-to-manage, and most effective endpoint protection.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.