San Francisco — Google Wallet is an ambitious experiment, to say the least. But, recently in a drastic move to prevent its consumer’s from being ripped off, the search engine behemoth Google has temporarily terminated prepaid credit card functionality on its Google Wallet mobile app to find a “permanent fix” after a security flaw was exposed.
The move over the weekend comes following the broadcast on the Internet of a flaw in the wallet’s design that could empower an unauthorized user of a phone to tap into an existing balance on a card by reconfiguring the wallet’s settings.
Google takes “concrete actions to help protect its users,” said Osama Bedier, Vice President, Google Wallet and Payments, in a blog post yesterday. “For instance, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon,” Bedier added.
Interestingly, the Google Wallet mobile app saves your credit cards and offers on your phone. When you check out at a brick-and-mortar store that accepts Google Wallet, you can pay and redeem offers by tapping your phone at the point of sale. You can also set up a Google Wallet Prepaid Card account through the app. But, accidentally if the smartphone user loses his phone with prepaid card data–and does not have the lock-screen option set, then a hacker can access your account by re-establishing a PIN for the app.
Moreover, this annoying security flaw was revealed last Thursday by a blogger, identified only as ‘The Smartphone Champ’, who explained that by opening up the settings section on an Android phone and blanking all the settings for a Google Wallet, any unauthorized user could access any balances on a prepaid card previously linked to the wallet. It also does not require a rooted device.
The acknowledgement came just a day after security firm Zvelo publicized a method for cracking a PIN for a Google Wallet. What Zvelo discovered was that the PIN for the wallet was not stored in its “secure element” — an almost impregnable hardware device in the phone — but in a database protected by the Android operating system.
But surprisingly, a smartphone app that imitates a credit card should be a little trickier, and that is certainly true for Google Wallet as of late–trickier, but not impossible. By mounting a brute force attack on that database, a hacker could make it cough up the PIN to the wallet.
Apart from the two most recent vulnerabilities unveiled for Google Wallet would allow an attacker to gain access to a user’s Google Wallet PIN number without compromising the app’s ‘five strikes and you are out’ of guess-prevention system, and give an attacker with physical access to your smartphone a way to tap into the funds of any prepaid Google cards previously linked to the device.
“People are asking if Google Wallet is safe enough for mobile phone payments. The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today,” wrote Bedier, in a blog post Friday.
Now paying through credit or prepaid card accounts on mobile devices is rapidly on the rise. But consumers too also have to be diligent in taking all possible precautions to protect credit, debit or prepaid card account data on their devices.
“Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet,” Bedier said.
{iframe width=”640″ height=”480″ align=”top”}http://www.youtube.com/embed/Rh1ytHrhj2E{/iframe}