By Another Google Wallet vulnerability has been discovered. After a brute force method was found to be able to retrieve the Google Wallet pin number on rooted phones which have been lost and don’t have any security features to keep people out of the phone, another vulnerability has been discovered.
Unlike the other, this one doesn’t require root. It still does require your attacker to have your phone and bypass any security you setup, though. A user with your phone could simply clear Google Wallet’s application data. Upon doing this, a pin number is requested when you first launch the application.
The attacker can put his own pin in and gain access to the application. The only thing they’d be able to access are your Google Wallet Prepaid card. Any other credit cards tied to your account are removed upon clearing data.
We’re not too sure how many people actually use this particular feature but we imagine those who do only add funds as they need them and don’t use it to house their entire life savings. It’s still a vulnerability, though, and needs to be addressed.
Google could simply implement the PIN system on their server and request the pin even if a phone has been factory reset. They’d simply ask you to sign into your Google account and verify the PIN that is tied to that account for Google Wallet before allowing the user access. Even the freshest of installs couldn’t bypass that.
We’re not sure what Google will be doing about this particular flaw but we’d hope that the above idea is tops on their list. It’s probably a good idea to setup a password on your phone and not lose that phone. Beyond that, simply don’t keep funds inside your virtual prepaid card. [via Droid-Life]
Not so much a vulnerability so much as an oversight, IMO. Google probably just didn’t think of this. Oh well. I’m sure it’ll be patched eventually.
Why are you cheerleading for Google wallet? This is the second post where your site has toned down their security flaws as not so bad, because most users have the strictest security settings already.
It’s not really true. Most users do not have the strictest security settings set and those security settings are pretty weak and generally have vulnerabilities themselves.
It’s still better security than if they have your wallet and credit cards in hand.
Are you kidding? This isn’t even a security flaw. This is by design. Put a password on your unlock screen to prevent this.
This post is just FUD for hits.
Let me ask you this, how well do you guard your wallet? Do you have a chain on there? Maybe some type of lock? If not, Google Wallet is clearly safer than your actually wallet so your comments are stupid.
I’m more complaining about the writing than the flaw. When you read this post and the other post describing a different flaw in google wallet, the author seems to make every assumption in favor of google wallet.
First assumption, you have to lose your phone. Why wouldn’t thieves target google wallet users and steal it?
Second assumption, they have to get past your security settings. Most users don’t have security settings set.
Third assumption, you’ll be able to remotely wipe your phone in time. If someone intentionally steals your phone, will you really be able to remotely wipe it in time? Wouldn’t they steal it and act quickly?
If the author had instead focused on what you are saying I might have felt differently about the post.
I mean right now google wallet is a niche thing, so it’s no big deal and it would be hard to target google wallet users. But google wants google wallet to be used by everyone and I think they have to improve clear up these issues before they can become mass market.