Seven Tips to Protect Your Google Wallet
Even with Google Wallet's built-in identity theft protections, you still need to be wary of hackers.
The electronic wallet sector has generated a lot of hype. Google Wallet and ISIS - which is ramping up - offer the extravagant prospect of using near-field communications (NFC) technology embedded or attached to mobile devices to replace payment cards. Swipe your phone at the reader and away you go.
It's all predicated, of course, on the system being secure. On one hand, it's easy to argue that the current use of payment cards is breathtakingly insecure. Reading all your information to a customer service representative who may be copying it down for delivery to crackers hardly seems prudent. It also seems unlikely that the security for traditional in-store purchases is any better.
But that doesn't matter, since those procedures are ensconced. They are not going anywhere soon, if ever. eWallets are new, however, and thus must meet a higher standard.
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used
This process can be done by somebody who steals or finds a phone, of course. A site called the Smart Chimp has a video demonstrating how it is done. I'm not linking to it because, as one commenter pointed out, they don't seem to have credited those who uncovered the flaw.
A second problem was reported this week. Researcher Joshua Rubin, working off an examination done late last year by ViaForensics, found that the four-digit PIN number can be cracked. Neil Rubenking at PCMag does a good job of explaining, and Rubin offers his own explanation and a video as well. A four-digit PIN is translated into a code. (This is called one-way encryption or hashing, Rubenking said.) The PIN can't be reconstructed from the hash that is created. An app simply uses the same hashing algorithm on what somebody trying to gain access types. If what is stored and what is typed are identical, access is granted.
What Rubin realized is that hashing isn't effective when the number of possible originals is small. There are only 10,000 possible values for a PIN consisting of four numeric digits. He quickly whipped up a Google Wallet Cracker program that would check all 10,000 against the stored hash, revealing the correct PIN.
Essentially, there are at least two ways to break into Google Wallet on the table. More undoubtedly are on the horizon. The bottom line is obvious: Google and its vendors need to fix this quickly, and ISIS needs to make sure its infrastructure is safe.