Google Wallet NFC payment system can be exploited

An exploit for Google Wallet enables thieves to change a user's PIN and get at the stored funds - without needing to actually hack the device.

Earlier in the week, security firm Zvelo uncovered a way to compromise the Google Wallet NFC payment system, opening the door for criminals to use your phone and empty your virtual pockets. But it was only a problem if your phone was rooted and if you didn't have a lock screen passcode set. But now, blog TheSmartphoneChamp has figured out an exploit to do the same without the phone needing to be first rooted.


The worst part, as Gizmodo points out, is that the method is so simple that it requires essentially no technical expertise or skill at hacking. Just clear the data in the app settings, which prompts you for a new PIN. Put in that new PIN, tie a new Google pre-paid card into it, and all the previous funds are once again available. After that, whoever's holding your phone can wave it in front of any of the many participating retailers, enter the new PIN they just set, and spend your cash.

You know it's serious because Google is issuing the following statement:

We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.

While you wait for Google's fix, there are preventative steps you can take: Enable the lock screen, encrypt your storage, and don't let your phone out of your sight, and you'll be fine. But in real life, that last one's not always so easy.
Google Wallet's adoption rate is still fairly small, limited to only the Samsung Nexus S 4G handset on Sprint, which means this just doesn't affect as many as it could have. But it's obvious that as NFC develops, there are clearly some security considerations that need to be addressed before the technology hits the mainstream in a big way.