Google Wallet NFC payment system can be exploited

Google Wallet NFC payment system can be exploited

Summary: An exploit for Google Wallet enables thieves to change a user's PIN and get at the stored funds - without needing to actually hack the device.

SHARE:
TOPICS: Security, Google
8

Earlier in the week, security firm Zvelo uncovered a way to compromise the Google Wallet NFC payment system, opening the door for criminals to use your phone and empty your virtual pockets. But it was only a problem if your phone was rooted and if you didn't have a lock screen passcode set. But now, blog TheSmartphoneChamp has figured out an exploit to do the same without the phone needing to be first rooted.

Uh-oh.

The worst part, as Gizmodo points out, is that the method is so simple that it requires essentially no technical expertise or skill at hacking. Just clear the data in the app settings, which prompts you for a new PIN. Put in that new PIN, tie a new Google pre-paid card into it, and all the previous funds are once again available. After that, whoever's holding your phone can wave it in front of any of the many participating retailers, enter the new PIN they just set, and spend your cash.

You know it's serious because Google is issuing the following statement:

We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.

While you wait for Google's fix, there are preventative steps you can take: Enable the lock screen, encrypt your storage, and don't let your phone out of your sight, and you'll be fine. But in real life, that last one's not always so easy.
Google Wallet's adoption rate is still fairly small, limited to only the Samsung Nexus S 4G handset on Sprint, which means this just doesn't affect as many as it could have. But it's obvious that as NFC develops, there are clearly some security considerations that need to be addressed before the technology hits the mainstream in a big way.

Topics: Security, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • RE: Google Wallet NFC payment system can be exploited

    so basically it's the same as if you lose your phone and the robber starts making calls and charges lots of money to your account? if the prepaid card runs out there's no more harm right?
    clausmarquez
  • RE: Google Wallet NFC payment system can be exploited

    Freaking talkback deleting comments. Anyways, while it's definitely a security problem, it's not exactly any different from a credit card being stolen. Just call up and have it canceled.
    Aerowind
    • agreed

      There's nothing really new about this... It's just that it's now connected to your phone, instead of a (mostly) plastic card.
      shryko
  • RE: Google Wallet NFC payment system can be exploited

    I think bad people should stick to stealing my wallet and taking out a $20 bill from it. Much faster that way. Nothing to root and nothing to bypass.
    rengek
    • rooting isn't something THEY would do...

      The rooting is something that most likely a thief wouldn't do...
      ...and the article even says that it's no longer required.
      "But now, blog TheSmartphoneChamp has figured out an exploit to do the same without the phone needing to be first rooted"

      ...it's not that big a target at the moment, mainly because A) it's effort involved; and, B) you'll probably get more value from the phone itself instead of the google wallet; and, C) google wallet NFC isn't exactly common yet. (recall the article mentioning how it's only on Sprint and only the 1 phone model)
      shryko
  • RE: Google Wallet NFC payment system can be exploited

    This has got to be fixed quickly. Consumer trust and adoption is at stakes here, and bad publicity could do damage to this tech. There should be no beta (stated or not) involved when dealing with people's money.
    themarty
    • Beta is always going to happen...

      but I agree it should be done internal to the company, not with the general public.

      That said, there's been weaknesses in the INTERAC system, which weren't known/discovered at the time of creation. This is a similar situation where it needs to be fixed.

      There should be no delay in fixing it, but updates might have issues with distribution, if not everyone updates to a fixed version, or whatnot.
      shryko
    • RE: Google Wallet NFC payment system can be exploited

      @themarty

      That's the key thing. It's not the probability, it's the credibility. Screw ups like this can be survived once a technology is off the ground, but this can set it back.
      TroyMcClure