Android Central

Ahhh, Google Wallet. It's a giant target, both because it involves the almighty dollar and because people love to go after Google. This being the case, we're seeing an old trick being rehashed that will give someone access to your prepaid Google Wallet card. It's not a hack, per se, nor is it new -- but it's a poor design choice that keeps the prepaid card tied to the phone hardware instead of with your Google Wallet account, which is more sandboxed. It goes like this:

  • Find a Nexus phone with NFC laying around somewhere
  • Wipe the app data on Google Wallet and enter a new PIN
  • Profit?

So what you're hearing about now is what happens when you clear the app data from Google Wallet. That means stored information -- the PIN you entered -- is no longer attached to the app on your phone. Next time time you open Google Wallet, you're told to enter a new PIN number.

And then it once again asks which Google Account you want to tie in to Google Wallet. Because you're still logged in to you Google Account, suddenly the phone says "Hey! I recognize that user name! And you must be that user on your phone! Here's the free $10 Google's already given you, or whatever else you've added, too."

Thing is, in the example you're hearing about now, you're not actually that user. Someone has stolen your phone. And they can get to the Google Prepaid Card. And that's actually a feature that's documented in Google Wallet's Switching Devices help pages. Emphasis ours.

Your Google Prepaid Card balance may be transferred if you have completed your account registration. Contact us for more assistance.

There are a lot of ways this could be fixed. Maybe the best, but likely the least popular among users, would be to implement an Exchange-like security policy across the entire device where an ID and a PIN must be entered to do things like unlock the phone, or change settings. It would seem easier to secure the entire phone that it would be to change the architecture of the payment system, and if nobody can unlock your phone or get into the Wallet app settings (to clear data), this problem is solved. The new problem is that nobody likes to have to enter a PIN, and Android hackers will find a way around this in short order and call it a "feature" of their ROM. Hopefully Google has people smarter than I tackling these types of issues.

In the meantime, set some sort of screen lock.  Just do it.  If someone finds your phone, and can't get in, they can't wipe the data on your Wallet and change the PIN.  Your Google Wallet, unlike your old wallet, can be locked down.  Hit the break to see a video of this one in action.

Source: Smartphone Champ

Youtube link for mobile viewing

 
There are 25 comments

Reader comments

Google Wallet under attack again - this time by a feature, not a hack

25 Comments
Sort by Rating

With all the info we store on our phones today anyone who doesn't have a pin or other method of keeping the phone locked deserves what they get. I use the phones pin lock plus a pin to enter any settings menu plus theft aware so I can locate or remote wipe.

well good 4 u...u mus hav a hell of a lotta mor time than the rest of us bodies...I don't even hav the time to enter all those pinz,etc...lol ;-)

The best way to combat this would be to not add money to the prepaid card. The only funds they have access to would be the Google Prepaid card. Clearing the data would wipe out any other cards.

That's not really a solution now, is it? I don't have any Citi cards, so my solution would be not to use it at all? Just don't add too much to the prepaid card and use a screen lock. If I am careless and leave my phone somewhere or it gets stolen and you crack my pin or whatever lock I have, congrats, you win $30. I don't really need to keep a high balance for McDonald's, Jamba Juice and 7-11 purchases.

I just think the whole thing is rather stupid, myself. Like most people, I have to carry a real wallet anyway. And that has a credit card in it! So why exactly is having to find my phone, take it out of the case, turn it on, unlock it, find the app, launch it, enter a PIN, so much easier than swiping my credit card??????

That, and think of this as a "wallet"....if you use Wallet and your phone is stolen, change your Gmail password [which you should do anyway] .. and if you want to really be thorough cancel the credit card associated with your Google account.

Surprised no one has ever mentioned that some could go app crazy in the market once they have your phone...same thing.

EDIT: I see the other posts made my points already, hehe

Isn't it true for all the apps? Last time I tried on Android Market with the setting of "Use Pin For Purchase". If you click "Clear data" at App Info, the Pin I've already setup will be gone. After that, no pin is required for any purchase!

Hasn't the first rule of security always been that if a "hacker" has physical access to your computer/phone/device - you are screwed?

If you steal someone's smartphone and they don't have a pin/password or you break it, you own their life anyway. A little Google Prepaid card is just icing on the cake.

And again 2 step verification fixes this. Revoke your damn phone if you loose it. Problem fixed.

It's alot easier to hack a credit card. Steal one and sign somebodys name.

If you use the prepaid card just make sure to add small amounts at a time so if you do lose your phone and someone knows to do this, you don't have a huge loss.

If you use the Citi Mastercard and lose your phone. Call your bank and report it stolen and close the account. Problem solved.

I ain't sweating it. By 2017, when Wallet becomes available for my Optimus V, I suspect they'll have this fixed.

I actually discovered this feature when I first installed Google Wallet. It's great for when you actually forget your PIN.

So let me see if I understand this.. locking it to your device is a security problem (given the software pin reset glitch). But hey.. if it transferred easily to another device that is also a security hole/glitch. Bottom line they have to have my device to reset the pin.. they have to have my device to make a purchase. I have to leave my device wide open for them to get in and that will only be happening when they pry it from my cold dead hands.

Get one of the apps that does a remote wipe and sleep a lot easier if you stuff disappears and for gods sake stop picking at the most user involved phone OS in the known universe

Seriously, Google should take this app out and go back to drawing board. It is quite obvious the GWallet developers have no clue how to design a secure app as important as this.

On top of that, if you lost your iPhone or WP7, you have remote wipe capability built right into those mobile OSes. Not so with Android. You will have to rely on 3rd party apps or exchange sync to do remote wipe.

Your Google account and the ability to switch devices has nothing to do with it. As the video explicitly explains, the Wallet balance is associated with the phone, not with your Google Account. Therefore, this vulnerability has nothing to do the ability to switch devices (which is far from easy or automatic, btw). You could probably even set up a new Google account on the phone and associate the balance with that account.

if your phone is rooted and has clockwork recovery on it than they (someone who finds or steals your phone) could still get into your phone, no? if the person is familiar with getting into the phone's recovery than they could wipe data and reboot the phone. viola!

You don't need to be rooted to wipe the settings data. Don't lost your phone or let anyone touch your phone. That's the only defense.

I only charge it up to $20 and use it for small purchases. I'd venture to say that anyone who is going to swipe my cell phone probably has no idea how to use the Google Wallet anyways.

Dont they have Jing or something like it for smartphones yet? Im tired of seeing people using a camera to film their phone in the dark.

Teething problems. It happens on almost all new technologies and software. A mistake was made and now a fix should be rolled out as quickly as possible. Google Wallet needs to get its security sorted out if Google wants people to trust and use the service.