Google Wallet PIN vulnerable on rooted Android devices

By Jos · 6 replies
Feb 9, 2012
Post New Reply
  1. Security researchers over at zvelo have discovered a vulnerability in Google Wallet that could expose users' PIN codes to a brute-force attack. The flaw only affects users who have rooted…

    Read the whole story
  2. I wonder if the moneto app has the same issue.
  3. lawfer

    lawfer TechSpot Paladin Posts: 1,270   +91

    I'm not really surprised. Android is not exactly the most secure OS, and probably never will until Google gets serious about user experience.

    Fortunately, this only affects the most tech savvy, those who put up with the potential risk of bricking their phone by changing their ROM in the first place; hopefully, possibly having their credit card info stolen is another risk they might be willing to take. But then again, without having hard evidence, I'd be inclined to say that the tech savvy users are about 60% of the Android user base. So, not so fortunate.
  4. I wonder if at&t, Verizon, and T-Mobile were funding zvelo. Seeing as how Verizon blocked Google Wallet on the Galaxy Nexus because of the competing payment system Isis.
  5. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,811   +472

    That is completely retarded... why would they store even the hash of a 4 digit pin on the phone? Having such a small passcode, it should never be stored.

    Another reason why open source is a good idea... so security practices at least get some sanity checking by peers.
  6. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 1,978   +15

    Dark Shiv I dont think they're storing the hash, given the article said its being cracked via brute force which is possible due to it being a 4 digit PIN with a small amount of possible combinations. A simple feature like 3-try-lockout would prevent this. What spikes my curiosity is does that phone have the power to crack the password that fast, or is it being done remotely /w a service like Amazon cloud where they're using powerful servers they pay a small price for to do the heavy work. I'd expect a quad core CPU to be that fast but idk what chip that phone has in it.
  7. The article also said "The issue apparently stems from the fact that Google Wallet stores a hash of the PIN on the device itself".

    The brute force is against the hash.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...