After a week of hacks, Google's mobile payment system has lost more of its credibility as a safe payment option, making it just as vulnerable to money-theft as a regular-old billfold. When Google first announced Wallet, it emphasized all the security features, ensuring multiple layers of safety with its hyper-encrypted NFC technology. "A safer Wallet," proclaims the Wallet website. And when the security features all work, it actually was safer than credit cards.
But the latest hack pushes Google Wallet out of the safety zone because really, anyone could do it. All the previous holes, one earlier this week and the other last december, happened on "rooted" phones, meaning that the normal, non tech-savvy thief would have a hard time getting in. "Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices," a Google spokesperson told CNET back in December. Reassuring until The Smart Phone Champ came along and discovered a trick it could use on non-rooted phones. The blog explains:
Go into the application settings menu and clear the data for the Google Wallet app. After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it. The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device. In other words, they’d be able to add your card and have full access to your funds.
If someone got their hands on the phone, it would take about one to two minutes for that person to create a new PIN, which would allow authorization of payments. Just watch. Mom could do it.
"You'll notice it's going to have access to whatever funds were on your Google prepaid account," he explains in that video. Google has ensured that nobody can go into the Wallet when the phone sites idle, so this only works when a thief has the device in hand. Just like a wallet thief would have access to all the dollars within, a Google phone thief gets that cash. "That's a pretty big security hole there," he continues. Yes, just as big of a security hole as carrying around wads of money.
This article is from the archive of our partner The Wire.