A senior engineer of zvelo has found that Google Wallet has a “significant security vulnerability” which could reveal users’ PIN numbers. Sharing the findings on their blog and posting a demo video for the world to see, zvelo indicates that Google has already been notified of the situation. While this might sound like a terribly scary situation and a blow to Google’s NFC initiative, it’s worth pointing out that this affects Android handsets which have been rooted. Also, bear in mind that Google Wallet is not widely available yet as it’s technically only offered on one phone on one carrier.
As mentioned above, Google is already aware of the situation and is said to be working on a fix for the bug. In the meanwhile, zvelo offers up a number of precautions that one can take to ensure security.
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone. – Google
What Wallet Users Can Do Today
There are some steps that Google Wallet users can take today to help mitigate the risk of this vulnerability.
- Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
- Enable Lock Screens – “Face Unlock,” “Pattern,” “PIN” and “Password” all increase physical security to the device. “Slide,” however, does not.
- Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
- Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
- Maintain Device Up-To-Date – Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.