Researchers identified two ways the PIN code used to secure Google Wallet on Android smartphones can be cracked.
researchers have figured out ways to crack the PIN code used to secure Google
Wallet, raising new questions about the safety of the payment system.
Tech blog TheSmartphoneChamp
described Feb. 10 how someone can bypass the PIN
code on Google Wallet by just clearing data associated with the payment app
from the smartphone's application settings menu. This causes Google Wallet to
reset itself and prompts the user for a new PIN the next time it is launched.
Once the user has created a new code and tied in a Google PrePaid card to the
app, all previously available funds are again available, TheSmartphoneChamp
strongly encourages anyone who loses their device to call Google Wallet's
support at 855-492-5538 to disable the prepaid card to prevent attackers from
exploiting this issue.
"We are currently working on an automated fix as well
that will be available soon," Google said.
came less than a day after researchers at Web security provider Zvelo found a
way to brute-force the PIN code on rooted devices. Google Wallet stores a hash
of the PIN that prevents thieves from accessing the payment application, but
the fact that the code consists of only four numerals makes it susceptible to a
brute-force attack, Joshua Rubin, a Zvelo
engineer wrote Feb. 9. For the brute-force
attack to work, the phone needs to be "rooted" first, either by the
user or someone who has physical access to the device.
is a near-field communication (NFC) payment service that allows users to use
their smartphones to make purchases. The Wallet app stores the credit card and
other banking data. When it is time to pay for an item, the user is prompted to
enter the PIN code to authorize the transaction. The brute-force attack targets
this specific code, which is stored as a hash on the device.
that the PIN can only be a four-digit numeric value, it dawned on us that a
brute-force attack would only require calculating, at most, 10,000 SHA256
hashes," Rubin wrote on the Zvelo Website.
Algorithm is a cryptographic hash function and the version used in Google
Wallet, SHA256, is considered fairly secure. The algorithm turns the PIN into a
special code that can't be converted back to the original. The app takes what
was entered, hashes it and compares it against the stored value. If the code
matches, then it is correct.
that a PIN consisting of four numbers can only contain 10,000 possible
combinations. It is computationally inexpensive to generate a hash of all
10,000 combinations, and his Google Wallet Cracker app proceeds to compare the
possibilities against what is stored on the device.
already disclosed the issue to Google.
technique relied on rooting the Android device to disable the security mechanisms
that protect Google Wallet, Google said in a statement. "To date, there is
no known vulnerability that enables someone to take a consumer phone and gain
root access while preserving any Wallet information such as the PIN,"
according to the statement.
way to prevent Cracker app to gain access to the hashed code would be to move
the PIN off the device and store it on the Secure Device or the NFC chip, said
Rubin. However, the move would make banks, as the payment processor,
responsible for PIN security instead of Google. Banks have to choose to take on
the financial and administrative overhead of moving the PIN instead of leaving
it up to Google, and "potentially put the banks on the hook for the PIN
security," said Rubin.
strongly encourages users with rooted devices not to install Google Wallet. For
those with Google Wallet, the company suggests they lock the screen, use facial
recognition and pattern matching, to add another layer of security on the
was considered fairly safe because users had to enter a code to authorize
payment, and the code was stored in hash. Wallet also allows only five
incorrect attempts before locking the user out of the phone. However, Rubin's
Wallet Cracker app can figure out the PIN without a single invalid attempt.
This isn't the
first time people poked around Google Wallet's security. In December,
researchers from ViaForensics disclosed some sensitive information, such as
cardholder names, credit limit and account balance, was not encrypted in Google Wallet
. The unencrypted data
exposed users to social engineering attacks to obtain more sensitive
information, according to Mark Bower, vice president of Voltage Security.