You've been redirected from MobilePaymentsToday.com to PaymentsDive.com. In March 2021, Mobile Payments Today became a part of Payments Dive. For the latest payments news, sign up for the daily newsletter.

Security company finds PIN protecting Google Wallet may be vulnerable

Published

Feb. 9, 2012

Online security company zvelo said it has found a vulnerability in the Google Wallet allowing a hacker to discover the PIN protecting the app and gain unauthorized access. The company said in a post on its blog the issue is due to the fact that the PIN protecting access to the Google Wallet app is not currently stored on the device's embedded Secure Element.

A video posted by zvelo shows the vulnerability being exploited:

While such a vulnerability may sound serious, zvelo noted the method for discovering the PIN only works on "rooted" phones, meaning phones where the user has unlocked the device to gain root access to the phone's operating system. That's not something most users will do with their phones. Additionally, the method for grabbing the PIN requires a hacker to actually have possession of the phone, meaning it only works on a lost or stolen phone.

Even with those caveats, zvelo said it "feels that the fact that this attack requires root permissions does not in the least bit diminish the risk it imposes on users of Google Wallet."

The company said it had contacted Google and recommended Google address the issue. According to the post, Google "was able to confirm the issue and agreed to work quickly to resolve it."

An official response from Google noted the zvelo study "was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device."

"To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN," Google said.

Google said it strongly encourages that people not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.

In its post, zvelo offered its own commonsense recommendations for Google Wallet users: 

  • Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
  • Enable Lock Screens – “Face Unlock,” “Pattern,” “PIN” and “Password” all increase physical security to the device. “Slide,” however, does not.
  • Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
  • Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
  • Maintain Device Up-To-Date – Ensure the device is current with the latest official software.

For more posts on this topic, visit the Security research center.