Google Wallet 4-digit security PIN cracked and exposed

Google Wallet hacked

A significant security vulnerability has been exposed in the Google Wallet mobile payment system by a senior engineer at zvelo, a website categorisation, URL database and malicious website detection solution provider for the OEM (Original Equipment Manufacturer) market. Through a brute-force attack (i.e. an exhaustive numerical search) the engineer, Josh Rubin, managed to crack and expose the wallet’s 4-digit PIN, which is used to authorise and process mobile phone payments. zvelo claims the reason the hack was possible is because the PIN verification is stored on the phone itself which isn’t particularly secure. zvelo reported the issue immediately to Google who checked and confirmed the vulnerability and have started making steps to resolve it, which, according to zvelo, can only be done by transferring the PIN verification to Secure Device (SE) or the NFC chip. Google emphasises that only rooted phones are vulnerable and they “strongly encourage people not to install Google Wallet on rooted devices.”  The Google Wallet is currently only available on the NFC-enabled Samsung Galaxy Nexus.

Related reading

Leave a comment