Google has suspended the provisioning of prepaid cards for Google Wallet after a second issue with the mobile payment system, affecting non-rooted devices, was discovered.
Last week, a vulnerability within the NFC-based payment system was discovered by security firm Zvelo, which in turn was inspired by the findings of a high-level review of Wallet performed by viaForensics in December last year.
Zvelo and McAfee both developed proof-of-concept videos showing that rooted devices running Wallet were vulnerable.
Google stated that it strongly discourages users from rooting their phones if they plan on using Wallet, saying that it does not support rooted devices, and doing so will in some cases result in Wallet data being automatically wiped.
However, The Smartphone Champ has discovered that even on un-rooted devices users can bypass Wallet's PIN challenge by clearing Wallet's application data. Doing so requires no special knowledge or tools, and, once Wallet is reset and re-opened, it prompts the user to set up a new PIN. When users sign up for Google Wallet, they receive a prepaid card with US$10 of credit. Users can then put more money on. After the PIN is reset, the hacker can associate their newly hijacked Google Wallet with the prepaid card that the phone was already drawing on.
Google associates its prepaid cards with the device rather than a specific Google account, meaning that no further credentials are required, such as the original owner's Google credentials. It also means that should a device be sold on, stolen or found, the subsequent user will be able to reset Wallet and access any remaining funds on the prepaid card previously associated with the device.
While this method of circumventing Wallet's PIN can be done on a device that isn't rooted, it still requires physical access to the device, and the would-be fraudster would need to bypass any additional security mechanisms, such as a screen lock, if implemented.
Google has now temporarily disabled the provisioning of its prepaid cards until it can issue a permanent fix. In the meantime, it has advised users to set up a screen lock as an additional layer of protection, and to call Google Wallet support if they wish to disable their prepaid cards, or if they suspect that someone has made a fraudulent transaction.
Although local support for Wallet is rumoured to be in the making, due to the sighting of what appears to be an Australian trial at a Google showcase day in November last year, Australian users have only been able to get Wallet working unofficially by either importing Wallet-enabled devices from the US, or by hacking their devices to gain access to the US$10 prepaid credit that Google offers.