Earlier in the week, security firm Zvelo uncovered a way to compromise the Google Wallet NFC payment system, opening the door for criminals to use your phone and empty your virtual pockets. But it was only a problem if your phone was rooted and if you didn't have a lock screen passcode set. But now, blog TheSmartphoneChamp has figured out an exploit to do the same without the phone needing to be first rooted.
The worst part, as Gizmodo points out, is that the method is so simple that it requires essentially no technical expertise or skill at hacking. Just clear the data in the app settings, which prompts you for a new PIN. Put in that new PIN, tie a new Google pre-paid card into it, and all the previous funds are once again available. After that, whoever's holding your phone can wave it in front of any of the many participating retailers, enter the new PIN they just set, and spend your cash.
You know it's serious because Google is issuing the following statement:
We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free atto disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.