Google Wallet Flaw Allows Digital Pickpocket

Security firm Zvelo yesterday discovered a vulnerability in Google Wallet, Google's NFC payment system, that allows anyone holding an already-rooted smartphone running Google Wallet to access the Google Wallet PIN.

Such a vulnerability allows a hacker to use a Google Wallet-enabled smartphone to maker purchases using the credit card information tied to the NFC chip. Nevertheless, Google points out that this is a low-risk situation, because it only works if the smartphone has already been rooted, and credit card information, during useable, is all in all secure.

Today's more serious glitch is described by smartphone blog The Smartphone Champ,which describes a security flaw in Google Wallet in other words "painfully easy to do," requires no extra software, and does not require a rooted device.

Basically, the problem stems from the fact that credit card data is tied to the device, not a person's Google account. So anyone holding a Google Wallet-enabled phone can change the Google Wallet PIN by going into the application settings menu and clearing the data for the Google Wallet app. Once this is done, the Google Wallet app will prompt the user/hacker for a new PIN.

The security flaw

Google has noted the security flaw and tells PCWorld it's currently working on an automated fix that will be available shortly. In the meantime, Google recommends that all Google Wallet users set up a lock screen as an additional layer of protection for their phone.

Google as well strongly encourages users who lose or want to sell their Google Wallet-enabled phones call the Google Wallet support number, 855-492-5538, to disable the prepaid card.