Google Wallet is the name of Google's recently launched cell phone-based credit card payment system. The system uses Near Field Communication (NFC) to exchange data between the cell phone (that is containing the user's financial information) and the store. The system has several advantages over physical credit cards, including a potential for greater security when implemented correctly. Security can however also be a weakness if vulnerabilities are discovered that allow attackers to gain access to the pin that is protecting Google Wallet.
Google Wallet as of now is only available in the United States, on two wireless providers - Sprint and AT&T, and only if the Samsung Nexus S 4G smartphone is used. Whenever Google Wallet users make purchases, they need to enter the pin to verify it. One of the weaknesses of the system is that Google decided to use a four digit pin limiting the possibilities to just 10,000. While that is convenient for the user, it is problematic from a security point of view.
Joshua Rubin over at Zvelo published an article yesterday that describes how his company analyzed the data Google Wallet saves to the phone to find out that the pin could be brute forced quite easily.
Researchers at Zvelo discovered that Google was saving the pin in encrpyted form on the smartphone. With the hash and salt discovered, they immediately started to program a brute forcing software to decrypt the information.
Google Wallet Hacker displays the Google Wallet pin in about a second after it is run. The program has to be run on the smartphone Google Wallet is used, which is currently the greatest restriction.
The vulnerability has been disclosed to Google before it was publicly disclosed. The system has not been updated yet though which poses a risk to Google Wallet users. Mitigating factors have been posted by Zvelo which may help Google Wallet users keep their pin secure from brute forcing attacks.
Should you be using Google Wallet right now? This is ultimately your decision, I for one would refrain from using it until the issue gets resolved.Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.