Sooner or later, it was going to happen, and now it has:

Google Wallet’s success story has taken a hit when a senior
engineer at a Colorado, US-based security firm developed an app
that can crack the four-digit PIN of the wallet.

The engineer, Joshua Rubin, from zvelo, developed the Wallet
Cracker app and showed just how vulnerable Google is to fraudsters
on a video posted on his
blog
.

Google has now suspended the service and posted a blog post
definding itself.

 

The claim

Rubin wrote in his blog post:

“viaForensics recently came out with a
report about the security of Google Wallet
. In it, they
concluded that due to the unencrypted personal information and
payment history, users might be subject to social engineering
attacks.

“We were intrigued by the findings from
viaForensics and decided to do a bit of digging of our own.

“We were quickly able to independently confirm
the findings of viaForensics. As we investigated the data stored in
the per-app (sqlite3) database used by Google Wallet, we became
intrigued by the contents of the “metadata” table that contained
only 3 rows but a large “blob” of binary data in each. The name
alone, “metadata,” just seemed like a poor attempt at “security by
obscurity” which as we already know, “is no security at all”.

Rubin added that after notifying Google,
Google was “extremely responsive to the issue, but ran into
several obstacles preventing them from releasing the fixed
app.”

According to Reuters, Google’s spokesperson
Jay Nancarrow has confirmed Google is “working to resolve the
issue”.

“The zvelo study was conducted on their own phone, on which they
disabled the security mechanisms that protect Google Wallet by
‘rooting’ the device,” Reuters quoted Nancarrow.

 

Google’s response

In a blog post in response to the vulnerability claims, Osama
Bedier, vice president, Google Wallet and Payments,
wrote:

“People are asking if Google Wallet is safe enough for
mobile phone payments. The simple answer to this question is yes.
In fact, Google Wallet offers advantages over the plastic cards and
folded wallets in use today.

“First, Google Wallet is protected by a PIN — as well as the
phone’s lock screen, if a user sets that option.

“But sometimes, users choose to disable important
security mechanisms in order to gain system-level “root” access to
their phone; we strongly discourage doing so if you plan to use
Google Wallet because the product is not supported on rooted
phones. That’s why in most cases, rooting your phone will cause
your Google Wallet data to be automatically wiped from the
device. 

“Second, we also take concrete actions to help protect our
users. For example, to address an issue that could have allowed
unauthorized use of an existing prepaid card balance if someone
recovered a lost phone without a screen lock, tonight we
temporarily disabled provisioning of prepaid cards. We took this
step as a precaution until we issue a permanent fix
soon.

“And just like with any other credit card, you can get
support when you need it. We provide 
toll-free
assistance
 in case you lose your phone or
someone manages to make an unauthorized transaction. 

“Mobile payments are going to become more common in the
coming years, and we will learn much more as we continue to develop
Google Wallet. In the meantime, you can be confident that the
digital wallet you carry provides defenses that plastic and leather
simply don’t.”

The exposure of the vulnerability of the Google Wallet may also
have an impact on Citi, Visa and MasterCard, which are all
affiliated with the service.

 

Cut them some slack

But Thomas Bostrom Jergenson CEO of Encap, a mobile security
authentication company, provided a more balanced view on the
issue: 

“Google Wallet is the ‘poster child’ for NFC-based m-commerce in
developed markets. As such, it will face a greater level of
scrutiny and attack than other mobile wallets,” he told Cards
International
.

He argued that the hacking of the PIN took place under lab
conditions – “where anything is possible”.

He said:

“In this instance, the security flaw was
caused by PIN verification taking place on the device. Therefore,
sensitive information is held on the device and this enabled a
‘brute force’ attack to check each of the 10,000 possible
four-digit PIN combinations.

“The attack has been described as
‘theoretical’, but the impact is that it creates fear, uncertainty
and doubt in the minds of consumers around the world. Security
scares affect more than just the company attacked – they can affect
the entire industry.”

Yet, given that the industry is still in its
infancy, confidence must remain to grow the whole market, not just
Google Wallet, further. Google was quick to respond to the issue
and is working on resolving it.

As the industry progresses towards a more
sophisticated environment, security features will be even stronger.
For instance, cloud-based payments, where, Bostrom Jergenson
argues, ‘brute force’ attacks can be avoided, could make m-wallets
safer.

Currently, Google Wallet has a restricted distribution reach, so
although it certainly will deter some consumers from using wallets
in future, the overall risk is very limited still.

What is most crucial now is, for Google, quickly regaining
consumer trust to continue to grow its Wallet service. For any
other m-wallet provider, it is now crucial to recognise how quickly
one can lose the trust they have worked hard to gain, and to focus
on m-payments security, as well as customer education
campaigns.