Google wallet suspends prepaid credit card functions
LATEST NEWS
- NZ game industry: Indie game development is bad for your health
- NZ game industry: Govt support for development increasing
- Telecom opens pre-orders for Samsung Galaxy S III || 4
- Video, connection costs major factors in broadband uptake: ComCom
- No more risk to privacy on Facebook, than web: MED
- Raspberry Pi arrives in New Zealand || 4
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
Google has suspended prepaid capabilities on credit cards linked to its mobile wallet after a security flaw was exposed
By John P. Mello Jr. | San Francisco | Monday, 13 February, 2012
Google has suspended prepaid capabilities on credit cards linked to its mobile wallet after a security flaw was exposed.
Saturday's move comes following the airing on the Internet of a flaw in the wallet's design that could allow an unauthorised user of a phone to tap into an existing balance on a card by reconfiguring the wallet's settings.
"We took this step as a precaution until we issue a permanent fix soon," vice president for Google Wallet and Payments Osama Bedler wrote in a company blog.
The security flaw was revealed last Thursday by a blogger calling who explained that by opening up the settings section on an Android phone and blanking all the settings for a Google Wallet, an unauthorised user could access any balances on a prepaid card previously linked to the wallet.
The disclosure came just a day after security firm Zvelo publicized a method for cracking a PIN for a Google Wallet. What Zvelo found was that the PIN for the wallet wasn't stored in its "secure element" -- an almost impregnable hardware device in the phone -- but in a database protected by the Android operating system. By mounting a brute force attack on that database, a hacker could make it cough up the PIN to the wallet.
A caveat to the attack, however, is that it only works on "rooted" phones, or phones modified by their owners in order to gain greater system access to their mobiles. Rooting is discouraged by phone makers because not only may it void the device's warranty, but it can create security vulnerabilities in the mobile.
Both the flaws found in Google Wallet last week can be foiled if an owner activates the screen lock feature on their phone. That feature requires a PIN to be entered whenever the phone is activated. If an unauthorised person doesn't know that PIN, then they can't get into the phone to work any mischief on it. Many users, though, don't use that feature because they don't want to be punching in a PIN numerous times a day.
It's also important to note that the flaws require an unauthorized party to get physical access to a phone to exploit it. Neither flaw can be performed remotely through malware.
In addition, the vulnerabilities are in the design of the wallet, not in the NFC payment system behind it. If the wallet's PIN, for example, were placed in the payment's system secure element, it would be almost unhackable.
"Google Wallet is still significantly more secure than the credit card you use today, even with this vulnerability in the wild," Zvelo researcher Joshua Rubin says.
MOST POPULAR
- NZ game industry: Govt support for development increasing
- Video, connection costs major factors in broadband uptake: ComCom
- Raspberry Pi arrives in New Zealand
- Chorus extends introductory fibre trial for RSPs until December
- IBM boosts returns to parent company, paying $20m to US
- Air NZ completes migration
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
