13 October 2015

Google Wallet PIN vulnerability exposed

09 February 2012  |  11569 views  |  0 safelock

Google Wallet's PIN has a security vulnerability that leaves it open to a brute force attack, according to research outfit zvelo.

Google Wallet requires users to enter a four-digit PIN to track transaction history and edit card details on its NFC mobile phone.

"Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone," says Joshua Rubin, senior engineer, zvelo, in a blog post.

Rubin built an app to test the vulnerability, posting a video of it in action cracking PINs, although only with rooted handsets.

Update: A second more serious flaw has been found by researchers at the Smartphone Champ. An option to clear data and reset payment options on the phone makes it easy for anyone who finds or steals an Android phone to take over the wallet function. It may be no different from losing your physical wallet, but this is a more pressing issue for Google Wallet users. Google says it is aware of the problem and is working on a fix. In the meantime the company is urging users who lose a phone to call a toll free number to disable the pre-paid card function.

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

13 December, 2011
12 December, 2011
08 December, 2011
06 December, 2011
18 October, 2011
19 September, 2011
26 May, 2011
16 November, 2010

Related company news


Top topics

Most viewed Most shared
European Parliament rubberstamps Payment S...
11651 views comments | 49 tweets | 66 linkedin
Banks must embrace fintech-fuelled payment...
9400 views comments | 35 tweets | 27 linkedin
Global transaction banking set to be a key...
6915 views comments | 10 tweets | 22 linkedin
London fintech investment in first three q...
6591 views comments | 29 tweets | 20 linkedin
Chinese hackers breach LoopPay
5773 views comments | 8 tweets | 7 linkedin

Featured job

£100,000 basic, £180,000 OTE + Benefits

Find your next job