Last week researchers found vulnerabilities in the Google Wallet payment system. The first vulnerability was found by Zvelo, which required root access. Rooting devices has become just short of trivial at this point with the avaibility of “one-click root” applications for most platforms. The vulnerability was leveraged to display the current PIN number. The very next day a new vulnerability was discovered in how application data is handled in the Wallet app. In this case no root access is needed, as thesmartphonechamp demonstrated , this is simply a flaw in how the application works. Assuming a Google Prepaid card has been set up, a user can navigate to the application management interface, and delete application data for Google Wallet. On return to the app’s interface, the user is then prompted to set up a new PIN. The flaw is that the Google Prepaid card data persists. After establishing a new PIN number, the attacker is free to use the prepaid card as though it was their own.
I believe that once you attach credit card data to a platform, you can expect the interest from attackers to grow exponentially. We’ve already seen banking malware developed for Android, and once Google Wallet becomes ubiquitous across all Android devices, we can expect to see a lot more.
I expect these to be just the beginning of a scavenger hunt for Google Wallet vulnerabilities in the future. Especially assuming the amount of financial backing Google has wedged behind this initiative. Finance firms Mastercard and Citi are just a few of the growing list of partners . Will the PIN hack be the end of Google Wallet? Certainly not. We’ve just entered a transitional phase where the cash register is moving from the store front into your pocket. And while the Secure Element technology offers a lot of security through encryption of your data, if the interface can be beaten, all that math goes to waste.