A web security firm recently uncovered and made public the fact that they were able to gain access to the Google Wallet application by decrypting the hashed PIN.
Being the first commercially viable mobile wallet in the United States Google Wallet is under a lot of scrutiny while many competitors, white hat and black hat hackers try to find security weaknesses. Security firm Zvelo called attention to a glitch in which they were able to obtain the PIN protecting access to the Google Wallet app. First, the mobile device must be “rooted,” meaning the user has access to change any files on the system. Then by using a specially designed mobile app the Google Wallet PIN for that rooted mobile device can be deciphered. Once a fraudster has the PIN they can easily use the mobile wallet to make fraudulent purchases.
When it comes to NFC mobile contactless payments the mobile wallet accesses payment information that is stored and encrypted in what is known as the Secure Element. The Secure Element is separate from the device’s internal memory and is designed to be tamper-proof. The PIN that authenticates access to the mobile wallet, while encrypted, is not stored in the Secure Element. This means that with rooted phones a mobile app can be designed to access and attempt to decrypt the hashed PIN, which is exactly what Zvelo set to prove.
Google acknowledged the security concerns suggesting that Android users with rooted phones not use Google Wallet on these devices and to set a screen lock for added protection. It should be noted that if a hacker or thief were to obtain a mobile device they could root, or jailbreak, the device themselves, but Google states that when a phone is rooted the Google Wallet data is cleared.
For more information: