Google Wallet Hacked

[Mobimop]

I just came across this article from last February regarding Google Wallet and how the PIN is kept on the O/S instead of on the NFC chip. Supposedly only rooted phones are susceptible because of access to the file system and a brute force attack could be accomplished rather efficiently given this is only a 4 digit pin. My question is has this changed by a security update from Google or is this something we all should be concerned about?

Cracked! Google Wallet PIN Raises Big Security Concerns for Mobile Payments | SiliconANGLE

Thanks

 

[Mobimop]

I just came across this article from last February regarding Google Wallet and how the PIN is kept on the O/S instead of on the NFC chip. Supposedly only rooted phones are susceptible because of access to the file system and a brute force attack could be accomplished rather efficiently given this is only a 4 digit pin. My question is has this changed by a security update from Google or is this something we all should be concerned about?

Cracked! Google Wallet PIN Raises Big Security Concerns for Mobile Payments | SiliconANGLE

Thanks

And now I find that you don't even have to be rooted... The article states Google was working on a fix. Was that released?

Google Wallet hacked again, no root access required this time | Android and Me

 

[cokeblack]

Google already has a fix for this. Its called locking your screen.
Sent from my Nexus 7 using Tapatalk 2

 

[Mobimop]

Google already has a fix for this. Its called locking your screen.
Sent from my Nexus 7 using Tapatalk 2

Nice that's like saying to increase your PC security please power down your computer...

Here is what Google stated at the time, I'm only asking if the "fix" was pushed out....

Update: Google has provided us with the following statement: ”We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

 

[jpr]

Yes, they fixed that right after it was discovered back in February. And as far as the first one, no one should be running Google Wallet on a rooted device unless they willingly accept that risk. Wallet is not supported on rooted devices because of how unsecure rooted devices are. If people choose to ignore that and purposely put their money at risk in that way, they have to take responsibility for that. They also have to take responsibility for not setting a PIN screen lock and other basic security measures. There are more security measures available to protect your Google Wallet card than there are to protect your credit card in your wallet or pocket. But no one can make anyone take advantage of those measures. You have to take responsibility for your money. And just so there are no misunderstandings, I am not directing the word 'you' at any person - just anyone using Wallet.

 

[1088933]

I'm rooted and I can't even add cards, won't let me add anything. I know that they released a security update for it, you can probably find the article here.

 

[jschu22]

At least there's a way someone can access the funds, since its literally hit or miss (mostly miss) when I try to use it.

Sent from my Galaxy Nexus using Android Central Forums

 

[font1975]

I just came across this article from last February regarding Google Wallet and how the PIN is kept on the O/S instead of on the NFC chip. Supposedly only rooted phones are susceptible because of access to the file system and a brute force attack could be accomplished rather efficiently given this is only a 4 digit pin. My question is has this changed by a security update from Google or is this something we all should be concerned about?
Thanks

It's been awhile since this was out, but as I recall, it was only an issue for pre-paid cards. If you added funds to your prepaid card, someone could technically gain access and use whatever amount was left on the card. That was it.

With the newest version, you can disable wallet for a given device from your Google account. You can also remove any credit cards associated with the Wallet app.

The thing to remember is this: These hacks required access to your phone. It wasn't like someone was remotely tapping into Wallet and had free reign to your bank account. Google Wallet still seems more secure than your wallet in your back pocket. At the very least, it's just as safe.

I'm not giving a free pass to Google. They should and have - AFAIK - fixed any known issues with Wallet. But this "security issue" was never any worse than someone losing their wallet or purse. If you lose your phone, regardless of how secure the Wallet app is, you'll still want to immediately disassociate the phone from Wallet, or remote wipe it if you can. (And to be absolutely safe, report any associated cards as stolen.)

 

[prim8]

This seems to me to be no less secure than the credit cards in your wallet.
After all, they need your phone and technical know-how to do it.

With your credit card they just use it. Maybe they need to figure out your zip code but that's on your drivers license or id anyway.