The Google Wallet system appears to be under siege. Over the past couple days, two different methods of potentially cracking or circumventing the PIN security protecting Google Wallet have been revealed. What’s worse is that you could potentially be liable for fraudulent charges racked up with Google Wallet.
The initial revelation wasn’t much of a threat, relatively speaking. It required that the smartphone be rooted -- a process that comes with inherent security consequences the user must be aware of and accept when embarking down that path -- and relies on special software and some hacking skill to get at the PIN data.
The newer issue has much broader implications. An attacker can potentially hijack or circumvent the PIN protection on any Google Wallet smartphone. The device doesn’t have to be rooted, and the technique doesn’t require any special tools or skills.
In either case, though, Jaime Blasco, head of labs with AlienVault, proclaims that the issues surrounding the security of Google Wallet are the direct result of the potential security of the payment card process being sacrificed for the sake of convenience.
Blasco says that we are likely to see more and more convenient payment systems like Google Wallet appearing across smartphones and other mobile devices. He stresses, however, that potential users should stop and consider the risks and think twice about trusting these gadgets with debit or credit card credentials.
The terms and conditions of most credit and debit card agreements protect users from fraudulent charges. However, how much protection is provided, and the specific conditions of receiving the protection vary from one financial institution to the next. Many require that the account holder take reasonable steps to protect their card details, and it is possible that a provider could interpret storing credentials on a smartphone as a violation of that mandate.
Blaso argues, “Put simply, cardholders may find that, if their account is drained of money by cybercriminals, they have no comeback against their bank or financial institution.”
It should be stressed, though, that this is not really a flaw in Android itself. Following basic security practices for your Android smartphone would prevent someone from being able to crack or circumvent the PIN.
In other words, if you use the security controls at your disposal to protect and secure your Android smartphone it would be significantly more difficult to access your Google Wallet, and very hard for a card provider to argue that you had not taken “reasonable steps”. But, if you root your device and/or don’t bother to prevent unauthorized access to it with a lock screen and some sort of PIN or other authentication mechanism, you may very well be liable.
For reference sake, I am including the response from Google related to the more recent issue shared by Jacobsson-Purewal in her article:
Google has noted the security flaw and tells PCWorld it's currently working on an automated fix that will be available soon. Meanwhile, Google recommends that all Google Wallet users set up a lock screen as an additional layer of protection for their phone.
Google also strongly encourages users who lose or want to sell their Google Wallet-enabled phones call the Google Wallet support (toll-free) number, 855-492-5538, to disable the prepaid card.