Ahhh, Google Wallet. It's a giant target, both because it involves the almighty dollar and because people love to go after Google. This being the case, we're seeing an old trick being rehashed that will give someone access to your prepaid Google Wallet card. It's not a hack, per se, nor is it new -- but it's a poor design choice that keeps the prepaid card tied to the phone hardware instead of with your Google Wallet account, which is more sandboxed. It goes like this:
- Find a Nexus phone with NFC laying around somewhere
- Wipe the app data on Google Wallet and enter a new PIN
So what you're hearing about now is what happens when you clear the app data from Google Wallet. That means stored information -- the PIN you entered -- is no longer attached to the app on your phone. Next time time you open Google Wallet, you're told to enter a new PIN number.
And then it once again asks which Google Account you want to tie in to Google Wallet. Because you're still logged in to you Google Account, suddenly the phone says "Hey! I recognize that user name! And you must be that user on your phone! Here's the free $10 Google's already given you, or whatever else you've added, too."
Thing is, in the example you're hearing about now, you're not actually that user. Someone has stolen your phone. And they can get to the Google Prepaid Card. And that's actually a feature that's documented in Google Wallet's Switching Devices help pages. Emphasis ours.
Your Google Prepaid Card balance may be transferred if you have completed your account registration. Contact us for more assistance.
There are a lot of ways this could be fixed. Maybe the best, but likely the least popular among users, would be to implement an Exchange-like security policy across the entire device where an ID and a PIN must be entered to do things like unlock the phone, or change settings. It would seem easier to secure the entire phone that it would be to change the architecture of the payment system, and if nobody can unlock your phone or get into the Wallet app settings (to clear data), this problem is solved. The new problem is that nobody likes to have to enter a PIN, and Android hackers will find a way around this in short order and call it a "feature" of their ROM. Hopefully Google has people smarter than I tackling these types of issues.
In the meantime, set some sort of screen lock. Just do it. If someone finds your phone, and can't get in, they can't wipe the data on your Wallet and change the PIN. Your Google Wallet, unlike your old wallet, can be locked down. Hit the break to see a video of this one in action.
Source: Smartphone Champ
- Filed under: