More

HuffPost Social Reading

Google Wallet A Security Risk, Say Researchers

Google Wallet Security

First Posted: 02/10/2012 7:15 pm Updated: 02/11/2012 2:22 pm

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy


By Sinead Carew and Jim Finkle

NEW YORK (Reuters) - Security researchers said they found a vulnerability in the Google Inc mobile payments platform which is currently available in phones sold by Sprint Nextel Corp.

Mobile payment services that allow consumers to pay by waving their phone at a check-out terminal, instead of using a credit card, have long been available in Japan and some other countries but are only just emerging in the United States.

Isis, a venture of Verizon Wireless, AT&T Inc and T-Mobile USA, is expected to launch an offering to compete with Google but has yet to announce a launch date.

The alleged vulnerability in the Google Wallet was identified by Joshua Rubin, a senior engineer with zvelo, a closely held security firm in Greenwood Village, Colorado.

Rubin developed an app dubbed Wallet Cracker that he says can break the four-digit PIN required to launch the Google Wallet app. He demonstrated how it works in a video on his blog (http://bit.ly/zgO2L6)

Rubin said that he had disclosed his findings to Google and that the company "was able to confirm the issue and agreed to work quickly to resolve it."

Google spokesman Jay Nancarrow in an emailed statement said "We are working to resolve the issue," even as he took issue with the study that prompted the allegations.

"The zvelo study was conducted on their own phone, on which they disabled the security mechanisms that protect Google Wallet by 'rooting' the device," Nancarrow said.

Google, he added, recommends that people not install Google Wallet on "rooted" devices and that they should set up a screen lock as an additional layer of security.

Sprint representatives were not immediately available for comment.

Google's Wallet partners also include Citigroup Inc and payment network MasterCard.

Emily Collins, a Citi spokeswoman, said no Citi cardholder information is stored in the Google Wallet nor are cardholders liable for unauthorized transactions.

Jimmy Shah, a security researcher for security software specialist McAfee, said on Friday that the vulnerability did not appear to be a very easy one to exploit.

But he said it was theoretically possible if a hacker was able to physically steal a user's phone.

Shah said that a hacker would need time to install the Cracker app and to install another piece of malware to disable the phone's security system before being able to run the Cracker app to retrieve the PIN number.

The hacker would also still need the phone itself in order to be able to make payments using the stolen Google Wallet.

"It's a nice theoretical attack but it's not a very simple attack," Shah told Reuters.

McAfee is owned by chipmaker Intel Corp.

(Reporting By Sinead Carew in New York and Jim Finkle in Boston. Editing by Matthew Lewis and Bob Burgdorfer)

Also on HuffPost:

FOLLOW HUFFPOST TECH

By Sinead Carew and Jim Finkle NEW YORK (Reuters) - Security researchers said they found a vulnerability in the Google Inc mobile payments platform which is currently available in phone...
By Sinead Carew and Jim Finkle NEW YORK (Reuters) - Security researchers said they found a vulnerability in the Google Inc mobile payments platform which is currently available in phone...
Related News On Huffington Post:
 

Read more from Huffington Post bloggers:
Brett King

Brett King: Who Needs a Bank Branch When You've Got a Mobile Phone?

In its purest form, this will be simply a challenge to the branch-led distribution model. How so? Ultimately, with mobile banking and payments, the branch and resultant paperwork processes becomes a convenience "penalty" for transactional and basic onboarding.

Filed by Catharine Smith  | 

More in Technology...


 
 
  • Comments
  • 36
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
photo
Jay Gould
416 Fans
 
04:33 PM on 02/28/2012
A new announcement from Isis (http://www.paywithisis.com) about a partnership with three card issuers reveals why Google is leading the digital wallet field. Well, that and the fact that Isis hasn't even launched its service yet and will not do so until July, if current schedule holds, while Google Wallet has been up and running since September of last year. Instead, Isis should be busy building relationships with its users, using the card issuers as nothing more than vendors. That is exactly what PayPal has been doing for so long now and is one of the reasons for its great success. For a more detailed analysis: http://blog.unibulmerchantservices.com/a-non-news-from-isis-tells-us-why-google-leads-the-digital-wallet-field.
Permalink  |
photo
trron9
46 Fans
06:26 PM on 02/13/2012
This app is pre-installed on my Nexus S smartphone, I've never attempted to use it but after reading this article I think I'll wait until the the bugs are worked out!
Permalink  |
photo
Jay Gould
416 Fans
 
04:28 PM on 02/13/2012
I love the concept behind Google Wallet (http://www.google.com/wallet), because I believe that digital wallets, just like their physical equivalents, should allow their users to store in them all of the payment instruments they may want, including credit and debit cards issued by different banks and displaying different brand logos. And Google is doing precisely that.

However, data security is much more important than either user-friendliness or convenience. In fact, your service should not be offered to consumers until you can guarantee that your system can protect their personal information. And that is clearly not the case with Google. Moreover, hacking Google Wallet is reported to be a "trivial" exercise, which makes me wonder whether Google even cares all that much about protecting its customers' information. I can only hope they will prove that they do. http://blog.unibulmerchantservices.com/app-cracks-your-google-wallet-pin-in-seconds
Permalink  |
photo
HUFFPOST SUPER USER
rottnkid
Do as I say, not as I do-Oh wait that's the 1%
290 Fans
 
10:27 PM on 02/12/2012
Cash is King.
Permalink  |
jacksjill
9 Fans
04:32 PM on 02/12/2012
Duh??? We needed someone to tell us this??
Permalink  |
photo
HUFFPOST SUPER USER
ogaraj
38 Fans
06:57 PM on 02/12/2012
duh... the wallet in your pocket is still less secure than this solution is
Permalink  |
photo
HUFFPOST SUPER USER
frank day
Republican = FAIL
6139 Fans
 
09:39 AM on 02/13/2012
Not so.
Permalink  |
photo
KarmaPatrol
Fair and balanced and sugar-free
102 Fans
09:08 AM on 02/12/2012
My money flies out of my normal wallet fast enough, but thanks anyway.
Permalink  |
This user has chosen to opt out of the Badges program
IDIOTA
356 Fans
11:07 PM on 02/11/2012
If one does not root the device then it's safe?
Permalink  |
photo
waldopepper
I'd tell you all about me if you were my friend.
522 Fans
03:58 AM on 02/12/2012
Seems that you also have to have your phone stolen, an app installed and other security features disabled.

Long long odds of all this happening. It is nothing to worry about.

A media fear mongering event and nothing more.
Permalink  |
photo
HUFFPOST SUPER USER
KadejaLatefah
That's right...I said it!
208 Fans
01:58 PM on 02/12/2012
right. the truth is there is no completely safe mobile, cloud or wireless.
Permalink  |
nishioka
uɐıןɐɹʇsnɐ sı oıq-oɹɔıɯ sıɥʇ
127 Fans
04:14 PM on 02/12/2012
> Long long odds of all this happening. It is nothing to worry about.

Just because the process is a pain to execute now doesn't mean it always will be. All it takes is one person figuring out how to streamline the whole thing (for example, the iOS jailbreak last summer that required that you simply view a specially-formatted PDF file in Safari) before it becomes a nightmare for Google and Wallet users.

It's difficult to write an article without going over most folks' heads and without making it seem like it's a doomsday weapon that's going to drain everyone's bank accounts, but to dismiss the problem as "nothing to worry about" seems like a mistake if you ask me.
Permalink  |
photo
HUFFPOST SUPER USER
ogaraj
38 Fans
07:00 PM on 02/12/2012
Its far safer than your your credit card in your physical wallet. This exploit only works on a phone that was already hacked, and even then its still safer than your traditional credit card. You can GPS locate your phone if its stolen, and even remote wipe it. Try that with your credit card or cash.
Permalink  |
This user has chosen to opt out of the Badges program
mmbcf
102 Fans
08:55 PM on 02/11/2012
So now I have to watch my wallet and my phone? My phone was always replaceable and not much value to thieves as I would just shut off the service and get a new phone. But now I lose my phone while at the bar one night and awake to my checking and savings accounts drained? No thanks I'll stick with waving my debit card instead
Permalink  |
photo
vampyreincubus
89 Fans
08:03 PM on 02/11/2012
This whole country is a security risk, especially to the security of freedom.
Permalink  |
photo
HUFFPOST SUPER USER
amongus
20 Fans
05:43 PM on 02/11/2012
if you choose root your device - all bets are off re: company responsibility and device secruity. that said, i think it should be an individual's right to be able to do so. at your own risk.
Permalink  |
photo
Orlando R Reyes Sr
13 Fans
04:29 PM on 02/11/2012
Stay alert, educate yourself. Live and love within your means!...?
Permalink  |
photo
HUFFPOST SUPER USER
gregory57
Micro-bio, was one of my favorite classes.
478 Fans
04:05 PM on 02/11/2012
Using your wireless phone as a credit card? Come on... what could go wrong with that?!
Permalink  |
KevinInfobia
5 Fans
 
11:35 AM on 02/12/2012
Awesome!!!

Kevin
www.SimpliSafe.com
Permalink  |
photo
HUFFPOST SUPER USER
MiMi LLawsonn
210 Fans
03:57 PM on 02/11/2012
A google search is what convicted a man in NORTH CAROLINA LAST YEAR...and it was NOT EVEN PROVED IN COURT THAT HE DID IT.....http://ireport.cnn.com/docs/DOC-736024

The link provides information concerning it....IT WILL SHOCK YOU.....as it did a lot of us supporters....
Permalink  |
photo
HUFFPOST SUPER USER
madcityy
181 Fans
03:27 PM on 02/11/2012
GOOGLE SEEMS TO HAVE GONE TO HELL
Permalink  |
natal plum
227 Fans
02:36 PM on 02/11/2012
Seems like everything Google is doing these days amount to a threat on personal safety or freedom doesn't t. Just last week they announced their new assault on your personal information and now this.
Permalink  |
nobodyzhome
9 Fans
12:50 PM on 02/12/2012
You mean their privacy policy? What changed with that? Other than consolidating it, how was it different than before?
Permalink  |
natal plum
227 Fans
01:17 PM on 02/12/2012
Can't opt out of their mandatory tracking. That means change browsers, no g-mail and any other google app. I'm going to miss YouTube
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)