While Google is trying to spur digital wallet payments through its own Google Wallet app and service in the U.S. market, two recent vulnerabilities recently uncovered reveal that more work will need to be done to keep digital wallets secure and instill trust in users before physical credit cards could be deemed obsolete.
The first vulnerability discovered earlier this week found that the Android app could potentially display a user’s PIN number on rooted devices. Again, this requires devices, like the Nexus S 4G and the Galaxy Nexus, to be rooted for the vulnerability to work.
The second vulnerability doesn’t require devices to be rooted. The vulnerability here is only exposed if users don’t use a security lock (pattern unlock, PIN, alphanumeric passcode, or face unlock) or if the attacker bypasses the security lock. Once the attacker has gained access to the device, the attacker can wipe the application data under the device’s settings control, and launch the app, which will prompt the attacker to set up a new PIN. After that has been established, the attacker would have access to a user’s pre-paid reloadable Google MasterCard.
Like a gift card, the Google MasterCard could be re-filled with additional funds from a user. It is likely that many users won’t keep a lot of money on the card at any given time and will only add funds to the prepaid MasterCard as needed.
The new vulnerability does not give the attacker any access to any other cards that may be stored on the Google Wallet app. After the attacker wipes the application data, those stored cards and their data would be erased.
With NFC technology and the mobile wallet application that they enable still trying to gain ground in the U.S., it’s unclear how Google will respond and if this will present any major setback from consumer adoption. Google has only responded to the first vulnerability by stating:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.