Cracking Open Google Wallet

Mobile shopping received a setback last week when security researchers discovered flaws in Google Wallet that could potentially expose its PIN to enterprising hackers.

When Google introduced its wallet, it bragged that it was secure because transaction information was stored in a “secure element” in Wallet-enabled phones. What researchers at a security outfit called zVelo discovered, though, was that the PIN for the wallet was stored outside the “secure element” where it could be cracked with a brute force attack.

“Once you have a user’s PIN, you can access anything that the Google Wallet application can do, even stuff that is stored properly in the secure element, which is where the PIN should be stored,” zVelo researcher Joshua Rubin told TechNewsWorld.

“Google just chose not to use the secure element for the PIN, which doesn’t make a whole lot of sense,” he added.

Fortunately for owners of Android phones with Google Wallet, the zVelo attack requires a mobile to be “rooted” — modified for greater access to its administrative workings.

When you root a phone, you make it less secure and allow miscreants to perform mischief on it, as zVelo was able to do, according to Google.

“To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN,” Google spokesperson Nate Tyler told TechNewsWorld.

“We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone,” he added.

No Rooting, No Problem? No Dice

That’s fine for a rooted phone, but it doesn’t address another vulnerability publicized in the wallet later in the week.

A blogger called The Smartphone Champ explained that if a crook clears the application settings for Google Wallet on a phone, then accesses the app, it will ask for a new password, which the thief can easily fill in.

Meanwhile, the wallet will automatically tie the prepaid credit card in the device to the wallet with the new password, which allows the bandit to shop with your phone and charge their purchases on your card.

Google doesn’t have a fix for that problem yet, Tyler noted. He recommended that anyone who loses a phone with a wallet on it should call Google support (855-492-5538) and cancel their prepaid card.

It remains to be seen how this flap will affect consumers’ perceptions about the wallet in particular and mobile shopping in general.

“I think these types of vulnerabilities threaten to kill the adoption of NFC [technology used in Google Wallet] before it is even fully born,” Carl D. Howe, data research vice president for the Yankee Group, told TechNewsWorld.

“All forms of mobile payment rely on being able to trust the payment system,” he continued. “If consumers lose that trust, then they just won’t use mobile payments.”

The root-less hack is a pernicious one, he asserted, and “we perceive it as a serious threat.”

“I believe that Google will have to address this vulnerability or face consumers who will become more skeptical that they can trust Google,” he added.

Customer Records Prime Target

Customer records were in the crosshairs of cybercriminals more than ever in 2011, according to Trustwave. A substantial number of all attacks (89 percent) were focused on obtaining personally identifiable information, credit card data and other customer data.

The report, based on Trustwave investigations in 2011 of more than 300 data breaches and the performance of more than 2,000 penetration tests around the world, also discovered that the food and beverage industry made up almost half (44 percent) of the company’s probes during the period and that a third of them involved industries with franchise models.

Trustwave researchers also found that the most common password used by global businesses was “Password1” because it satisfies the default Microsoft Active Directory complexity setting.

DDoS Attacks on IPv6

The first attacks on the new Internet numbering system, IPv6, were observed in 2011, noted a report released last week by Arbor Networks. This marks a significant milestone in the arms race between attackers and defenders, the report stated, and confirms that network operators must have sufficient visibility and mitigation capabilities to protect IPv6-enabled properties.

While this is the first instance of reported IPv6 DDoS attacks, IPv6 security incidents remain relatively rare, it added. This is a clear indication that while IPv6 deployments continue to advance, IPv6 is not yet economically or culturally significant enough to warrant serious attention by the Internet criminal underground.

Breach Diary

  • Feb. 6: Anonymous posts to Internet portions of code for Symantec’s pcAnywhere program after failing to extort US$50,000 from the company for not making the code public.
  • Feb. 8: Cyberanarchists SwaggSec breach servers of Foxconn, which assembles 40 percent of consumer electronics in the world, and posts contact details of a number of the company’s global sales managers, user names and IP addresses, as well as a list of its email users and clients’ purchases.
  • Feb. 8: A hacker who calls himself Neon Seven and claims affiliation with the ZCompany Hacking Crew posted to the Web more than 200 credit card numbers stolen from U.S. and Israeli sources in retaliation of Israel’s treatment of Palestinians.
  • Feb. 8: Website of Nigerian National Assembly breached by @OccupyAllSt and the passwords to the accounts of 19 senators posted to the Internet.
  • Feb. 9: Boston Police Department website, offline for six days after breach by Anonymous, returns to service. Attack was motivated by department’s treatment of Occupy Boston movement.

Security Calendar

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels