Following reports that its Google (NASDAQ:GOOG) Wallet mobile commerce platform is vulnerable to attack, Google has come out to declare the service "safe" to conduct mobile transactions, adding it "offers advantages over the plastic cards and folded wallets in use today."
Last week, security firm Zvelo revealed that the Google Wallet PIN, the code required to confirm purchases made with Android devices, can be cracked using an exhaustive numerical search. That means if a rooted Android phone without a screen lock is lost or stolen, thieves could access the encrypted file that stores the PIN and exploit the user's Google account.
In a Google Commerce blog entry, vice president of Google Wallet and Payments Osama Bedier urges consumers against rooting their smartphones. "Google Wallet is protected by a PIN--as well as the phone's lock screen, if a user sets that option," Bedier writes. "But sometimes users choose to disable important security mechanisms in order to gain system-level ‘root' access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That's why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device."
In the wake of Zvelo's discovery, tech blog TheSmartphoneChamp identified a second method of attack that impacts all Google Wallet users, regardless of whether their Android phone is rooted. This flaw enables thieves to access Google Wallet app settings and tap "Clear data," erasing all Wallet information stored on the device; the next time Wallet is re-opened, it offers the initial setup process again, including entering a new PIN and tying the tap-and-pay service to a Google account. The setup process also enables the thief to re-attach the default Google Wallet prepaid card to the app; as TheSmartphoneChamp notes, Google Wallet is tied to the device itself, not the Google account, meaning it adds the same prepaid card previously attached to the phone, granting thieves access to all funds added by the original owner, complete with a new PIN enabling them to easily complete payment transactions.
Google has temporarily disabled provisioning of prepaid cards to address the issue, Bedier states, adding "We took this step as a precaution until we issue a permanent fix soon." He adds that Google also provides toll-free assistance in the event a Google Wallet-enabled device is lost or stolen or if unauthorized transactions are made.
"We will learn much more as we continue to develop Google Wallet," Bedier notes. "In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don't."
Introduced last year, the Near Field Communications-based Google Wallet enables consumers to make purchases by tapping their Android smartphone at 300,000-plus MasterCard PayPass-enabled merchant terminals. Google Wallet also includes support for SingleTap, which allows users to redeem coupons and/or earn rewards points.