Google Wallet Payment System Vulnerable to Attack

Dennis Faas's picture

Google has temporarily suspended one of the features on its mobile wallet system for smartphones following word the platform has at least two serious security flaws.

Google Wallet allows users to make payments using "near-field communications," a wireless protocol like Bluetooth, but with a maximum range of just centimeters.

Users can hold, tap or swipe their smartphone next to a payment device without having to worry about the signal being intercepted.

'Brute Force' Could Break Code

The system can be protected with a PIN (personal identification number) code, to prevent misuse when a phone is stolen.

In theory, the code itself is stored in a secure, inaccessible area of the phone.

In actuality, however, the PIN code is located in a secure database that anyone could access once the phone defense system has been bypassed using specialized software. This is called 'rooting' the phone.

Gaining root access (or super-user access) on the phone using specialized software modifies the operating system of the phone so that it eliminates restrictions on future software installations, as well as the phone operation itself.

This means that if a thief acquires a phone (for example) and acquires root access, the user's PIN could theoretically be guessed by using what's called a brute-force software attack.

How Brute Force Attacks Work

In brute force attack, every conceivable combination of numbers are input to the phone until the correct PIN code is guessed.

This is a similar style of attack often used on email accounts. Once attackers have access to an email account password, they login to the account (example: hotmail, gmail, etc), and acquire the owner's contact list of other email accounts.

Once the contact list is in their hands, they then send mass-emails to all users on the contact list purporting to be from the owner of the email account.

If you've ever received an email from a friend with a link endorsing a bogus website, this is likely what's happened.

Wiping Code an Easy Way to Infiltrate Account

That said, a software developer has found an even simpler security loophole that doesn't require hacking the phone or using a brute force attack.

Instead, a thief can simply use the phone's application settings menu to clear all of Google Wallet's stored data. They can then run the Google Wallet app, insert their own PIN, and gain access to the real phone owner's account.

Once the security is breached, a thief can spend the entire balance in the user's pre-paid Google Wallet account.

There are at least two good security features that would help deter future purchases if the phone was stolen and rooted.

For example: once the existing balance is depleted, the thief can't get any more, or access the user's bank accounts. There would also be a record of exactly where the thief made purchases, which would greatly aid any detection efforts.

Google says it is already working on permanent fixes and released a 'fix' this past Tuesday. However, the fix reportedly can be bypassed and the "technical issue still remains." (Source:

Ways to Tighten Security while using Google Wallet

There are several security measures users can take to limit these risks with Google Wallet.

First, don't acquire root access to your phone. This is often done on purpose to allow users to run non-legitimate apps on their phone.

Second, avoid having your phone inadvertently rooted by malicious software: only download legitimate apps from legitimate sources.

Third, make sure your phone's lock screen is activated (this will block a thief from accessing any applications or menus).

Google also says that people whose phones are lost or stolen should call 855-492-5538 to disable spending of their Google Wallet pre-paid balance. (Source:

Rate this article: 
No votes yet