Google Wallet security issue fixed; PIN codes still at risk?

On Saturday, Google announced that it was temporarily shutting down the use of prepaid credit cards for its Android-based Google Wallet payment service. At the time, Google said it had discovered a flaw in the system that would have allowed the "unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock."

Late on Tuesday, Google announced that Google Wallet can once again use new prepaid credit cards thanks to the company fixing the security flaw. The post stated:

While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers.

Google had come under some fire from users after a research report from Zvelo claimed last week that Google Wallet's PIN codes could be cracked via brute force methods. However, both Zvelo and Google stated this method would work only on Android-based smartphones that had been rooted. Google has also stated publicly that it strongly discourages using Google Wallet on rooted Android phones.

Zvelo has now fired back on that claim, saying that any Android device with Google Wallet could be rooted after it is stolen to gain access to the Google Wallet PIN codes. The report states:

There are more secure approaches to storing this material, such as storing this data in an encrypted container with a strong password, by keeping some parts securely “in the cloud” or protected by an NFC secure element.

Report a problem with article
Previous Story

Rumor: Nokia to release cheap Lumia 610 smartphone?

Next Story

NASDAQ and BATS web sites both hit by cyber attack

10 Comments

Commenting is disabled on this article.

Zvelo has now fired back on that claim, saying that any Android device with Google Wallet could be rooted after it is stolen to gain access to the Google Wallet PIN numbers.

That quote made me laugh. Seriously "ANY ANDROID". So your telling me if I have a locked bootloader, security lock and debugging disabled you'll be able to root my phone with my information still intact.

Dot Matrix said,
Why in the world does Google still think I want my wallet on my phone?

If you don't want to use Google Wallet, then don't add your credit card info onto GW. Simple.

But you might need it for the Android Market which GW is used for Market orders such as apps, movies, etc.

Dot Matrix said,
Why in the world does Google still think I want my wallet on my phone?

dont want it dont use it!!! Its for people who want wallet on their phone.

Back to the original topic
wouldnt rooting wipe everything off your phone.. so rooting a stolen phone to use wallet is pointless unless i am mistaken.

still1 said,

dont want it dont use it!!! Its for people who want wallet on their phone.

Back to the original topic
wouldnt rooting wipe everything off your phone.. so rooting a stolen phone to use wallet is pointless unless i am mistaken.


Nah, you rooting usually just uses an exploit to gain root and add su. Changing roms would but not rooting.

still1 said,

dont want it dont use it!!! Its for people who want wallet on their phone.

Back to the original topic
wouldnt rooting wipe everything off your phone.. so rooting a stolen phone to use wallet is pointless unless i am mistaken.

What I was trying to get at was, it's a disaster waiting to happen. Personally, I foresee some malicious app finding its way onto Android devices that will be able to get into user credencials.