Pickpocketing Google Wallet on Android phones

Attendees watch a demonstration of the Google wallet application screen during a news conference unveiling the mobile payment system in New York May 26, 2011. Credit: REUTERS/Shannon Stapleton

Simple, non-tech hack opens Google Wallet giving full access to phone funds.

Twice in two days, with different hacks, must be a record for security epic fail. First, there were reports of brute force attacks breaking the four digit PIN (Personal Information Number) on "rooted" Android phones. Rooting violates security recommendations, but many do it. This was troublesome, but not serious.

The second hack is serious (see video), and Google acknowledged the problem. A thief need only clear the data in your app settings, which causes Google Wallet to ask for a new PIN. Yes, ask the thief for a new PIN. That gives access to any Google PrePaid card resources. Google is working on an update, and suggests everyone use a PIN-based, not a swipe-based, screen lock.

Holy crap

This is a major security flaw, and a stupid one at that.

roofuskit on theverge.com

Erm, how many sets of eyes/hands has Google Wallet been past/through over at the Chocolate Factory? Must be at least several hundred people, evidently none of whom thought to check this,

Tony Barnes on theregister.co.uk

Collectively, after 30 or so years, we've just not caught on to IT security yet.

Graham Wilson on theregister.co.uk

Not worried

So, is this more dangerous than if I lose my ACTUAL wallet?

fritzo2162 on gizmodo.com

this is a issue that Google needs to fix, but I don’t think its as severe as its made out to be.

tekapo on theverge.com

even with all these vulnerabilities, your CC is a lot safer in your phone than in your physical wallet.

thaprinze on theverge.com

Security fail

Faildroid.

Microsoft on theverge.com

Posted on the same day as the article "lets kill cash... our moneyless future" haha!

tailsNZ on gizmodo.com

Maybe I’m missing something, but why not just force users to enter the PIN before the user can “clear the data” in the first place?

jonmilani on theverge.com

Other Google advice: don't lose your phone. Good luck with that.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies