Google Wallet Flaw Allows Digital Pickpocket - giesenappy1975

A red-hot and troubling, vulnerability in Google Wallet has been exposed. Unlike a low-risk security egress known yesterday, today's security flaw is represented as painfully gentle.

Security firm Zvelo yesterday determined a vulnerability in Google Wallet, Google's NFC payment arrangement, that allows anyone retention an already-rooted smartphone moving Google Billfold to access the Google Wallet PIN.

Such a exposure allows a drudge to use a Google Wallet-enabled smartphone to God Almighty purchases using the charge card information tied to the NFC chip. Notwithstandin, Google points out that this is a low-risk situation, because it lonesome works if the smartphone has already been unmoving (by the owner), and charge plate information, while useable, is still in safe custody.

Easily Exploit

Today's Sir Thomas More important glitch is described by smartphone blog The Smartphone Chomp, which describes a security measur defect in Google Wallet that is "painfully tardily to do," requires nobelium extra software (dissimilar the Zvelo flaw), and does non require a rooted device.

Essentially, the trouble stems from the fact that recognition circuit board data is tied to the device, not a person's Google account. So anyone property a Google Wallet-enabled call up can change the Google Wallet PIN away sledding into the application settings computer menu and clearing the data for the Google Wallet app. Once this is done, the Google Wallet app leave prompt the user/cyber-terrorist for a new PIN.

Because the identity card data is tied to the device, when the user/hacker adds the Google prepaid card to the Google Wallet app subsequently resetting the data, the old card data will be added to the app. Then the drug user/hacker will now be able-bodied to access the plug-in's finances — although IT should be noted that the quotation card information will tranquil be secure (only does it really matter if it's secure when someone else can accession your funds?).

Here's a demonstration of the vulnerability:

This vulnerability is a much bigger deal than the Zvelo one, because it's easy to do (the Zvelo vulnerability required a modicum of hacking cognition to crack), and it rear comprise performed along any device–vegetable Beaver State not.

Google's Advice

Google has famed the security flaw and tells PCWorld that it's currently functioning on an automated fix that will be available shortly. Meanwhile, Google recommends that all Google Wallet users hardening awake a lock screen American Samoa an additional layer of protection for their call up.

Google also powerfully encourages users who lose or want to sell their Google Wallet-enabled phones call the Google Notecase support (fee) number, 855-492-5538, to disenable the prepaid placard.

Follow Sarah on Twitter, Facebook, or Google+, and and Today @ PCWorld on Twitter.