Google Wallet Suspends Prepaid Credit Card Functions
By John P. Mello Jr.
Google has suspended prepaid capabilities on credit cards linked to its mobile wallet after a security flaw was exposed.
Saturday’s move comes following the airing on the Internet of a flaw in the wallet’s design that could allow an unauthorized user of a phone to tap into an existing balance on a card by reconfiguring the wallet’s settings.
“We took this step as a precaution until we issue a permanent fix soon,” Vice President for Google Wallet and Payments Osama Bedler wrote in a company blog.
The security flaw was revealed last Thursday by a blogger, identified only as “The Smartphone Champ,” who explained that by opening up the settings section on an Android phone and blanking all the settings for a Google Wallet, an unauthorized user could access any balances on a prepaid card previously linked to the wallet.
The disclosure came just a day after security firm Zvelo publicized a method for cracking a PIN for a Google Wallet. What Zvelo found was that the PIN for the wallet wasn’t stored in its “secure element” — an almost impregnable hardware device in the phone — but in a database protected by the Android operating system. By mounting a brute force attack on that database, a hacker could make it cough up the PIN to the wallet.
A caveat to the attack, however, is that it only works on “rooted” phones, or phones modified by their owners in order to gain greater system access to their mobiles. Rooting is discouraged by phone makers because not only may it void the device’s warranty, but it can create security vulnerabilities in the mobile.
Both the flaws found in Google Wallet last week can be foiled if an owner activates the screen lock feature on their phone. That feature requires a PIN to be entered whenever the phone is activated. If an unauthorized person doesn’t know that PIN, then they can’t get into the phone to work any mischief on it. Many users, though, don’t use that feature because they don’t want to be punching in a PIN numerous times a day.
It’s also important to note that the flaws require an unauthorized party to get physical access to a phone to exploit it. Neither flaw can be performed remotely through malware.
In addition, the vulnerabilities are in the design of the wallet, not in the NFC payment system behind it. If the wallet’s PIN, for example, were placed in the payment’s system secure element, it would be almost unhackable.
“Google Wallet is still significantly more secure than the credit card you use today, even with this vulnerability in the wild,” Zvelo researcher Joshua Rubin told PCWorld.