Google Wallet's PIN security has been cracked, but there's a caveat -- this currently only is an issue if your phone is rooted. Not rooted? No worries. And with that said and done, here's the deal:
Your Google Wallet PIN (Personal Identification Number) is stored encrypted on your device, and a brute-force method was found to expose the SHA256 hex-encoded PIN information inside the database. This method, which was irresponsibly released to the public, can find the PIN without any incorrect attempts in the Wallet app itself, negating the five-try rule the application has for PIN entry. (See it in action after the break.)
Now here's the not so sexy way to describe it all. You'll need to have a phone with Google Wallet, AND have rooted your device, AND have not set a secure lock screen, AND then lose your phone. The person who finds it THEN can use the app the fellows at zvleo have made and since distributed to brute-force the PIN and THEN can use your phone to make payments, just like they could if they found your credit card, which likely would be quicker and easier than any of this.
Google has been notified and already knows how to fix the issue, but there's a problem. To make it more secure, Google will have to move the PIN information to be controlled and maintained by your bank. This not only will require some changes to the terms of service, but then we're relying on corporate banking institutions to keep our information safe. I'd wager that Citigroup's servers are easier to break into than Google's, and then you have the same issue all over again.
A better way to fix the problem would be to force users to use a better password. PIN information can be cracked so easy because it only uses four numbers. This means that there are only 10,000 possible combinations, and even a portable computer like your Android phone can pull off that sort of brute-force attack. Change the passcode to something like Fgtr5400&d77 -- using a combination of letters, numbers and symbols -- and it's far less likely to be broken, and even less likely to even be used because it's not convenient. It's a Catch-22 -- a PIN is easy to use and remember, but it's also more easy to crack.
I'm not going to tell you to stop using Google Wallet, nor am I going to tell you to stop rooting your phone. I am going to tell you to pick it up, and put a passcode on the lock screen now, before you lose it.
Source: zvelo
Youtube link for mobile viewing
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
We may earn a commission for purchases using our links. Learn more.
The Galaxy S21 is a great phone, but sometimes I miss using a Pixel
No phone is perfect, and if you're a picky man who is set in his ways you'll find things that bug you. I am that man and this is my list.
Horizon Zero Dawn is a must-play game now that it's free
Horizon Zero Dawn was already a must-play game, but now you have no excuse because it's going free through PlayStation's Play At Home initiative.
Carmack talks the future of Quest 2, new headsets, Quest 1 support and more
John Carmack, CTO of Oculus, sat down with VP Facebook Reality Labs Andrew Bosworth (Boz) and answered a few questions taken via Twitter Spaces, talking about the future of the Oculus Quest platform.
The Xperia 1 II is our favorite phone for shooting video
If video recording is your thing, then look no further than the Sony Xperia 1 II — it offers a large screen, three great cameras, and extremely robust manual video controls.