≡ Menu

Google Wallet’s Vulnerability Exposed, Proper Fix Delayed Due to Business Reasons

The Google Wallet is a very convenient mobile payment system that is designed to handle all kinds of different wireless transactions on a mobile phone using the NFC (Near Field Communication) system. Google launched the app last year on September 29, 2011, and is currently available to Android 2.3.7 (Gingerbread) and higher phones with the app specifically enabled.

While the idea of a universal “no-swipe” mobile digital wallet sounds very appealing, the app actually holds no limitation even if somebody else used a Google Wallet-enabled phone. That is why Google designed a PIN to help lock the transactions only to users with granted access.

The only problem though, is that the PIN system does not seem to be tough enough, as it was demonstrated that an account could be eventually cracked by unauthorized parties.

Google Wallet’s Current Vulnerability to “Brute-Force”

viaForensics, a security company that specializes in mobile forensics and digital forensic security, has recently announced their findings about the weakness of the security system of the Google Wallet. Their researchers have pointed out several “exposed” parts and bits of the app’s stored user information.

The findings were soon independently confirmed by another team at zvelo, and had even announced another more pressing issue. The SHA256 hex encoded string that stores the PIN data could be easily taken via “brute-force” method, since the hacker would only need to do 10,000 calculations to break the code. They have even created a test app, the Wallet Cracker, to prove the feasibility of this horrible possibility.

Google’sFix Struggles, Zvelo Gives Advice to Phone Users

With the alarm rung, and the important findings relayed to Google, the company immediately and decisively took action to fix the problem as soon as possible. However, there are two important roadblocks that hampered their plans.

First, the updated Secure Element (SE) code for the fix has to be signed and verified first by the manufacturers. The second, more serious problem is the transfer of the PIN information to the SE code, which basically changes the responsibility roles of all the business entities involved in the payment system.For now, the final decision to implement the fix is in the hands of the banks.

No need to feel too threatened though, because zvelo explains that your account would be most likely exploited only if the thief has access to the physical device.As a rule of thumb (at least for now), if your smartphone is Google Wallet capable, DO NOT root it, as a rooted phone has no “sandbox” protection to scan the data getting in and out of your phone’s apps.

Author Bio:- Manasis a Blogger who like to writes on Mini Laptops, Tablet PCsand similar electronic products. Click Here to know more about his website.

{ 0 comments… add one }

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.