Google has temporarily disabled the provisioning of prepaid cards as the company deals with the fallout from the discovery of security vulnerabilities affecting Google Wallet.
Google Wallet is a mobile payment application that enables users to store information such as credit cards on their mobile phones so they can use their devices to pay for goods and services. According to Osama Bedier, vice president of Google Wallet and Payments, the decision to suspend provisioning capabilities was due to the discovery of an issue that could allow unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock. A permanent fix for the issue is on the way, he blogged Feb. 11.
“We took this step as a precaution until we issue a permanent fix soon,” he wrote.
The situation Bedier was referring to was reported Feb. 9 on the SmartphoneChamp blog.
“All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app,” according to the blog. “After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it. The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device. In other words, they’d be able to add your card and have full access to your funds.”
The vulnerability publicized by SmartphoneChamp however was just one of two recent dings on Google Wallet security in recent days. The second is a flaw reported by Joshua Rubin, an engineer at Web security firm Zvelo. According to Rubin, it is possible to execute a successful brute-force attack on the database where the Google Wallet PIN code is stored if the phone has been rooted.
“The vulnerability involves storing an encrypted hash of the Google Wallet PIN in a database that belongs to the app,” explained Jimmy Shah, mobile security researcher at McAfee Labs. “Because it’s not stored in the Secure Element chip, the only protection is Android’s user ID-based “sandboxing.” Normally malicious apps can’t access files belonging to another app, but once the phone is rooted that protection and any others are gone.”
Bedier contended that users should not root their phone, as it can circumvent security.
“Google Wallet is protected by a PIN — as well as the phone’s lock screen, if a user sets that option,” he noted. “But sometimes users choose to disable important security mechanisms in order to gain system-level “root” access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device.”
Bedier added that Google is providing toll-free assistance for anyone who loses a phone or discovers an unauthorized transaction.
“Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet,” he blogged.