PSA: Google Wallet vulnerable to ‘brute-force’ PIN attacks (update: affects rooted devices)

Feb 09

PSA: Google Wallet vulnerable to ‘brute-force’ PIN attacks (update: affects rooted devices)

Posted on 09 February 2012 by

Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be “easily revealed.” Digging through the app’s code and using Google’s open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a “trivial” brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app — demoed after the break — that does the job quicker than you can say “unexpected overdraft.”

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it’s only users of rooted devices who are at risk. In a statement to TNW it said: “We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.”

[Thanks to everyone who sent this in.]

Continue reading PSA: Google Wallet vulnerable to ‘brute-force’ PIN attacks (update: affects rooted devices)

PSA: Google Wallet vulnerable to ‘brute-force’ PIN attacks (update: affects rooted devices) originally appeared on Engadget on Thu, 09 Feb 2012 05:07:00 EDT. Please see our terms for use of feeds.

Permalink   |  zvelo  | Email this | Comments

Original post by Sharif Sakr

Share and Enjoy:
These icons link to social bookmarking sites where readers can share and discover new web pages.

Related posts:

  1. Symantec report on mobile security concludes iOS and Android both vulnerable to attacks In Symantec’s bleak, dystopian world, it doesn’t matter whether you…
  2. Galaxy Nexus gets unofficial Google Wallet, leaves rooters feeling flush (update: now root-free) While it may have arrived with the Nexus name, Google’s…
  3. Google is blocking Android Market movie rentals on rooted devices because of copy protection Rooting your Motorola Xoom won’t stop you from getting an…
  4. Verizon’s Galaxy Nexus won’t support Google Wallet, reports claim (update: Verizon responds twice) The Verizon-branded Galaxy Nexus can do a lot of things,…
  5. Google Wallet mobile payment service, Google Offers announced It may not be as big a surprise as Google…

Related posts brought to you by Yet Another Related Posts Plugin.

Article source: