Google Wallet Security Breach Is A Warning To All Smartphone Users

Google Wallet

A report that Google Wallet system has been compromised is a warning to smartphone users of the risks they run by storing access to their credit and debit card credentials on handsets for use “on the go.”

Google Wallet is recently launched system of storing credit, debit and loyalty card data in the Google cloud, and then using the smartphone as an authentication device whilst out and about.

Google Wallet will really come in to its own this summer during the Olympics as MasterCard and Visa ramp up their PayPass and PayWave NFC payment systems, which allow payments of under £10.00 to be completed with a wave of the card – or NFC-enabled mobile – in the same way that TfL’s Oyster card works,” he said.

Google Wallet protects access to the smartphone app using a PIN protection system, but it appears that researchers have developed a method of cracking the PIN that can be used by cybercriminals to perform fraud by using a brute force attack on the Android device. So far, the fraud only works on rooted devices, but a crack for all Android smartphones is in development.

This is particularly worrying, as if an attacker is able to use an exploit to compromise the system in this way, then it follows that they will be able to eventually access – and brute force attack – all of the data held on the smartphone. The cracking of Google Wallet is the direct result of the potential security of the payment card process being sacrificed for the sake of convenience.

And the weak link in the security chain is the storing of the Google Wallet PIN – effectively the keys to the owner’s credit and debit cards – on the smartphone itself, rather than in the cloud. Since Google Wallet is a hybrid on-device/cloud data storage system, it would have made more sense to store the user’s PIN in the cloud, meaning that a brute force cracker attack of this type would be a lot more difficult, if not impossible.

More than anything, he says, whilst we are likely to see more and more `convenient payment’ systems like Google Wallet appearing on the increasingly ubiquitous smartphone platform, potential users need to stop and think whether they are taking too much of a risk with their credit and debit card credentials.

And what many cardholders probably do not know is that the terms and conditions of most payment cards require that the account holder take reasonable steps to protect their card details, in return for financial protection against card fraud.

Against this backdrop, storing your card details on the Google Wallet system – regardless of these latest PIN security issues – may compromise your card issuer’s security requirements. Put simply, cardholders may find that, if their account is drained of money by cybercriminals, they have no comeback against their bank or financial institution.

Having said that, Google Wallet is a highly convenient means of storing credit and debit card data, but the arrival of a crack for the PIN protection system is a potentially serious security problem for users.

Longer term – if as seems likely – Android devices are increasingly used to perform payments then the platform will targeted even more than it is today by cybercriminals, who will be hell-bent on developing zero-day and similar attack methodologies in order to monetise their frauds.

As with the PayPass and PayWave systems “wave-to-pay” systems generally, users can choose how they wish to balance convenience against security, but I know which way I will be voting after hearing about this Google Wallet PIN crack.

Ask anyone about Jaime Blasco and they'll say he's the man you want on your side when it comes to a hack – the Sherlock Holmes of the Internet. At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on Web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching. When he's not hunting down the bad guys, and alerting the good ones, he's a guest speaker or lecturer at hacking conferences such as Rooted Con, OWASP. Recently he ran a Cyber Warfare conference for the Head of Defence in Spain demonstrating attacks in real time and showing how to defend against them. He's also a regular contributor to Hakin9 and InSecure magazine. Jaime also advises government on emerging threats.