Google Wallet's PIN security has been cracked, but there's a caveat -- this currently only is an issue if your phone is rooted. Not rooted? No worries. And with that said and done, here's the deal:
Your Google Wallet PIN (Personal Identification Number) is stored encrypted on your device, and a brute-force method was found to expose the SHA256 hex-encoded PIN information inside the database. This method, which was irresponsibly released to the public, can find the PIN without any incorrect attempts in the Wallet app itself, negating the five-try rule the application has for PIN entry. (See it in action after the break.)
Now here's the not so sexy way to describe it all. You'll need to have a phone with Google Wallet, AND have rooted your device, AND have not set a secure lock screen, AND then lose your phone. The person who finds it THEN can use the app the fellows at zvleo have made and since distributed to brute-force the PIN and THEN can use your phone to make payments, just like they could if they found your credit card, which likely would be quicker and easier than any of this.
Google has been notified and already knows how to fix the issue, but there's a problem. To make it more secure, Google will have to move the PIN information to be controlled and maintained by your bank. This not only will require some changes to the terms of service, but then we're relying on corporate banking institutions to keep our information safe. I'd wager that Citigroup's servers are easier to break into than Google's, and then you have the same issue all over again.
A better way to fix the problem would be to force users to use a better password. PIN information can be cracked so easy because it only uses four numbers. This means that there are only 10,000 possible combinations, and even a portable computer like your Android phone can pull off that sort of brute-force attack. Change the passcode to something like Fgtr5400&d77 -- using a combination of letters, numbers and symbols -- and it's far less likely to be broken, and even less likely to even be used because it's not convenient. It's a Catch-22 -- a PIN is easy to use and remember, but it's also more easy to crack.
I'm not going to tell you to stop using Google Wallet, nor am I going to tell you to stop rooting your phone. I am going to tell you to pick it up, and put a passcode on the lock screen now, before you lose it.
Source: zvelo
Youtube link for mobile viewing
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
We may earn a commission for purchases using our links. Learn more.
Samsung Galaxy Buds Pro review: The new best
Samsung's aiming squarely at the AirPods Pro with the new Galaxy Buds Pro, but it's done something better: it's made one of the best-sounding wireless earbuds you can buy.
Soundcore Liberty Air 2 Pro review: Sounds about right
Soundcore isn't a household brand just yet, but Anker's headphone division is making a name for itself as the producer of the best-sounding true wireless earbuds under $150.
Did you pre-order the Galaxy S21?
Pre-orders for the Galaxy S21 are open right now! Did you pre-order the phone already or plan on doing so soon?
The best portable instant photo printers for Android devices
You're on the move and making memories on your mobile. While digital is great, why not try and make those memories a little more permanent with a tangible photo?