Two Ways to Pickpocket Google Wallet Emerge

Carl Weinschenk
Slide Show

Seven Tips to Protect Your Google Wallet

Even with Google Wallet's built-in identity theft protections, you still need to be wary of hackers.

The electronic wallet sector has generated a lot of hype. Google Wallet and ISIS - which is ramping up - offer the extravagant prospect of using near-field communications (NFC) technology embedded or attached to mobile devices to replace payment cards. Swipe your phone at the reader and away you go.

It's all predicated, of course, on the system being secure. On one hand, it's easy to argue that the current use of payment cards is breathtakingly insecure. Reading all your information to a customer service representative who may be copying it down for delivery to crackers hardly seems prudent. It also seems unlikely that the security for traditional in-store purchases is any better.

But that doesn't matter, since those procedures are ensconced. They are not going anywhere soon, if ever. eWallets are new, however, and thus must meet a higher standard.

Things are not going too well on that front. Google Wallet - the one of the two in release - has been poked and prodded and the results are troubling. Late last year, a site called xdadevelopers offered a brief post suggesting that hijacking somebody's Google Wallet account is as easy as one, two, three, four:

1) Go into application settings

2) Clear data for Google wallet

3) Open wallet and set it back up

4) Everything remaining on your Google prepaid card can now be used

This process can be done by somebody who steals or finds a phone, of course. A site called the Smart Chimp has a video demonstrating how it is done. I'm not linking to it because, as one commenter pointed out, they don't seem to have credited those who uncovered the flaw.

A second problem was reported this week. Researcher Joshua Rubin, working off an examination done late last year by ViaForensics, found that the four-digit PIN number can be cracked. Neil Rubenking at PCMag does a good job of explaining, and Rubin offers his own explanation and a video as well. A four-digit PIN is translated into a code. (This is called one-way encryption or hashing, Rubenking said.) The PIN can't be reconstructed from the hash that is created. An app simply uses the same hashing algorithm on what somebody trying to gain access types. If what is stored and what is typed are identical, access is granted.

Wrote Rubenking:

What Rubin realized is that hashing isn't effective when the number of possible originals is small. There are only 10,000 possible values for a PIN consisting of four numeric digits. He quickly whipped up a Google Wallet Cracker program that would check all 10,000 against the stored hash, revealing the correct PIN.

Essentially, there are at least two ways to break into Google Wallet on the table. More undoubtedly are on the horizon. The bottom line is obvious: Google and its vendors need to fix this quickly, and ISIS needs to make sure its infrastructure is safe.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.