Google Wallet PIN security cracked - here's what you need to know

Google Wallet's PIN security has been cracked, but there's a caveat -- this currently only is an issue if your phone is rooted. Not rooted? No worries. And with that said and done, here's the deal:

Your Google Wallet PIN (Personal Identification Number) is stored encrypted on your device, and a brute-force method was found to expose the SHA256 hex-encoded PIN information inside the database. This method, which was irresponsibly released to the public, can find the PIN without any incorrect attempts in the Wallet app itself, negating the five-try rule the application has for PIN entry.  (See it in action after the break.)

Now here's the not so sexy way to describe it all.  You'll need to have a phone with Google Wallet, AND have rooted your device, AND have not set a secure lock screen, AND then lose your phone. The person who finds it THEN can use the app the fellows at zvleo have made and since distributed to brute-force the PIN and THEN can use your phone to make payments, just like they could if they found your credit card, which likely would be quicker and easier than any of this.

Google has been notified and already knows how to fix the issue, but there's a problem. To make it more secure, Google will have to move the PIN information to be controlled and maintained by your bank. This not only will require some changes to the terms of service, but then we're relying on corporate banking institutions to keep our information safe. I'd wager that Citigroup's servers are easier to break into than Google's, and then you have the same issue all over again.

A better way to fix the problem would be to force users to use a better password. PIN information can be cracked so easy because it only uses four numbers. This means that there are only 10,000 possible combinations, and even a portable computer like your Android phone can pull off that sort of brute-force attack. Change the passcode to something like Fgtr5400&d77 -- using a combination of letters, numbers and symbols -- and it's far less likely to be broken, and even less likely to even be used because it's not convenient.  It's a Catch-22 -- a PIN is easy to use and remember, but it's also more easy to crack.

I'm not going to tell you to stop using Google Wallet, nor am I going to tell you to stop rooting your phone. I am going to tell you to pick it up, and put a passcode on the lock screen now, before you lose it.  

Source: zvelo

Youtube link for mobile viewing

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • nice article. Not ready for Google Wallet thank you...
  • The solution is to pay with cash. Before long the terminals/receivers that you pay through will get an 'upgrade' and start collecting information on what device just payed for what, marketing you know...
    Nobody needs to know who you are when you're buying something, you walk in, you buy something, they never see you again, simples.
  • And make sure you keep that cash stored in a mattress too. And unplug all of your computers. And bury your head in the sand.
  • I just roll a Tbolt and CITI already changed my account.
  • 1. Use a lockscreen password. 2. Use a Mobile protection app. (Something that can find your phone.) 3. Always leave your GPS on. 4. When its time to checkout, unlock the timer on the Wallet app before getting to the register (so no one sees your pin). Do these things and you should give CROOKS a very hard time.
  • Ahhh Jerry, always the voice of reason while the rest of the world runs around to look for water to put their flaming hair out.
  • Still, you have to bet the mainstream press, always ready to please apple will have this all over Google News by tomorrow morning. Sigh...
  • Apple has nothing to do with this. Maybe if people like you would stop bringing them up every five seconds just to bash them the world would be a better place. Sigh...
  • Google Wallet is still more secure then my actual wallet. That is a lot of steps for a common pick pocket to use just for a free meal. Find my phone, figure out which model it is. determine if it is rooted and it is not rooted, then figure out how to root it. then launch a brute force attack to crack it find places that accept Wallet and then spend VS take wallet, pull out cash and credit cards and spend. I do think this could be the end of wallet. It is a security risk and opponents have been looking for ANY reason, even one as outlandish as this, to call foul on the service. NFC payments have probably been set back a years
  • Doesn't rooting your phone wipe it? So if they rooted it, they technically wouldn't be able to access your Google account, therefore Wallet too.
  • Rooting, in of itself, doesn't necessarily wipe the device. Now, it might be the case depending on what device and how it's rooted.. but not always true.
  • Well the only two devices that run Wallet (Gnexus and NS4G) are both wiped when rooted. No issue if your phone isn't rooted. Even if it is rooted (like my NS4G) I wouldn't worry. This is a non-issue to me.
  • They are wiped when unlocked not when rooted. I just unlocked mine last night then set everything up then rooted. There are more things oon my phone that i would be worried about then the free $10 on my wallet account.
  • that's why I like having a wallet chain. Good luck getting into my pants pocket AND detaching the chain without me noticing either.
  • What if I use face lock? Oh wait... The person who finds my phone MIGHT just have a picture of me laying around in order to unlock the phone... Crap....
  • Ummm...okay. This is like me saying I can break into your house IF I find your house keys AND I find you wallet AND I have your garage door code AND I have your alarm code AND I know when you are away from your house. I can steal your car IF you lose your keys AND I can find your car AND if you haven't reported it stolen AND it's not a stick shift. I can also marry Adriana Lima IF I win the lottery AND I stop looking the way I do AND I lose 40 lbs AND I actually get to meet her AND she isn't already taken. Quality not Quantity please.
  • +1, nicely put.
  • As expected. Everyone saw this coming.
  • I don't find this crack too alarming. What I don't like about Google Wallet is that when I need to enter a PIN, say, to make a payment, people behind me can easily see what I enter. With the Galaxy Nexus, I would love it to give me a choice to use Face Unlock instead of punching in a 4 digit PIN.
  • That's why the timeout feature is useful. Unlock the Wallet app in an area you feel confident that no one is looking before getting to the cash register. As long as you keep your screen turned off until you get to the register (thus disabling the secure element), you're still safe.
  • But will they be able to "add funds" if they do not have your debt card CCV code?
  • Regardless i use google wallet at different places and i love the convienance period. Fear factor won't change my use period. Most of use are safe peple and take enough precautions and don't misplace or lose our devices....
  • They would still have to get my phone. Not to mention I only keep emergency cash in my Wallet account since I don't have a credit card that is supported.
    I would be a lot more worried about loosing my actual wallet with debit / credit cards vs loosing my phone. For that matter, the wife had her bank account raided by someone that broke into a database for a restaurant that she bought lunch at. They bought lots of stuff at American Eagle and some other places on the West Coast.
  • while it is great to bring this to light and increase security and awareness, i will just deny the charges and be just fine.
  • Sounds like the PIN just needs to be more flexible....4 digits is just not enough...
  • We need a poll. How many people use a lock screen on their Android? Having never lost or forgotten a phone in the entire 10-12 years I've had a cellphone, I still run mine unlocked. But then I don't have NFC. The most a thief could get from my phone is a weeks worth of Starbucks, before I could change the passwords on my Google account.
  • I think you're right about that poll.  Great idea
  • All this worry about the vulnerability of the Google Wallet seems misplaced. The thief would still need physical access to the phone, and the credit card number still looks like it is secure. It's not like someone could remotely attack the phone and get your credit card info out without you knowing it. it is still more secure than if a thief stole the actual credit card. But, in a worst case scenario, you just call the credit card company and tell them your card is stolen. All this worry about Google Wallet security, and many people will still walk into a restaurant, and let an underpaid waiter take their credit card out of sight to a back room to swipe the card (and maybe copy it down)?
  • Well if my real wallet fell out of my pants and someone picked it up. I don't think that person will have to try too many brute force method to take out the $20 bill inside and spend it. I also don't keep a lot of money in my google wallet. I generally transfer $25. I'm mostly buying coffee with it anyway. Anything more, I do the transfer when I'm about to pay.
  • As presented this does not seem to pose more of a security risk than someone stealing your wallet or breaking into your house. My question is whether the method behind the app to break the code can be used as a trojan app eliminating the need for the phone to have been stolen. I dont know squat about code so I may be way off.
  • Umm... I have to disagree with Jerry on this one. Passcode doesn't matter that much. It may discourage the random person that thinks they got lucky and can get some free cash, but if someone picks up your device, and really wants that account pin, they'll have it. I could easily see a method to pull the database off the device from recovery (after all, it says this program never actually uses the wallet application itself). I've heard tell of methods to push an app to the phone that disables the lockscreen. Those methods might not be around or readily available here and now, but if Google Wallet (or NFC payment apps in general) become really popular, then ways will appear. I would say that one would be better of getting a remote wipe solution onto their phones and be ready to push the killswitch from home, work, or the local library as soon as possible after loosing it. If you get the device back, great! Fire up Titanium Backup and restore to the last point before the wipe. Law 3 on the following list:
    "If a bad guy has unrestricted physical access to your computer, it is no longer your computer."
  • Or you could always just clear the app data and reset the pin. Just sayin'.
  • If you lose your phone, just activate your remote wipe app. You do have a remote wipe app?
  • I go to The Ohio State University and everytime I add my School Email Account to my NS4G it sets itself as the Device Admin so I can wipe it from any computer anywhere from my email account, granted we have Microsoft Exchange so it already comes built in.
  • If you lose your phone or have it stolen, you should be doing one or both of the following no matter what: * Revoke your Application-specific password for your phone if using 2-factor authentication (you should be).
    * Remote wipe your device if you have the ability. In addition to those steps, if using Google Wallet you should also: * If you use the Google Pre-paid card, keep a record of your card number and call Money Network immediately: 855-896-0693. The same goes for a Citibank MasterCard. You know, just like you would if a regular credit card was lost/stolen
  • I'm not worried about this and will continue using Google Wallet, but that's not the problem. When Google fixes this by putting the bank in charge of paswords instead of keeping PIN info on my phone, won't my copy of Wallet become unuseable since my GNex is not a supported device for Wallet?
  • Pins are easy to remember, hard to crack (1234). Passwords are hard to remember and sometimes hard to crack (f00Bar!). Pass phrases are easy to remember and hard to crack (GrandmaGotRunoverByAReindeer). The only down side of a pass phrase is the extra typing. Since something needs to be entered ever time you make a payment, that's a barrier and a pin is better. BUT - what if the database were salted with a pass phrase at account setup? That way, the encryption is really a combination of the larger phrase and the pin. The application encrypts the phrase separately, caching it, but internally decrypts it for combined use with the pin. In this way, a brute force attack would have to pass both to an exposed internal API. There's probably a hole in that somewhere too, or some genius at Google would have already thought of it I guess. Another thought, if I lose my AMEX, no one has to brute force a database before they can use it fraudulently. So all we're saying here is that Wallet is not as secure as we hoped, but still more secure than a card, because a thief must at least have the wherewithal to crack the database.
  • As soon as I installed Google Wallet I knew the scale of sh!t I could dig myself if i was irresponsible and lost my phone. Even if I did stop using wallet my lost phone could still be used to make purchases from amazon, xbox live, paypal ect. We are living in a new age of necessary responsibility and the consumer undoubtedly must accept to share some of that with the developer.
  • I use the lock screen with a pattern that doubles back on itself. I think random number pads plus PIN would be a good setup for touchscreens. So your PIN is 1234 but the number pad for entering shuffles the location of the numbers each time and never puts it in the ATM/Dialer/Calculator format so that there's not a fingerprint pattern on the screen that's consistent. that also means someone looking over your shoulder couldn't just memorize where your fingers touch the screen either. I know people would complain because they couldn't mindlessly type in a PIN without looking at the numbers on the buttons, but it would be a bit more secure.
  • Technically all you need on many phones is to use no or slide to unlock with no password,pin or pattern on the device.
    For many phones the rooting process doesn't have to wipe any data so the person who got your phone could do the rooting.
  • with any nexus phone, data is wiped when bootloader is unlocked. to root the phone you have to have bootloader unlocked. nobody unlocks bootloader just to unlock the bootloader and not gain root access (if you do, well then...tough luck). so to those who do not root, most likely will not have their bootloader unlocked. and if their phone gets stolen, the thief must unlock bootloader to gain root and data is wiped. just saying.
    i'm rooted, and use google prepaid (no saved add fund acct.) with no more than 100 bucks on there. so i'm not worried. besides i'd use remote wipe well before they would get a chance to install the gw cracker.
  • Well this definitely a non-issue to me, seeing as though I don't have downloaded nor do I even use Google wallet.