DroidForums.net is the original Verizon Android Forum! Registered Users do not see these ads. Please Register - It's Free!
Page 1 of 2 12 LastLast
Results 1 to 10 of 11
Like Tree1Likes

Thread: Google Wallet PIN Falls to Brute Force Hack Attack

  1. Editor in Chief
    dgstorm's Avatar
    Member #
    154790
    Join Date
    Dec 2010
    Posts
    6,331
    Liked
    2057 times
    Phone
    Enter Current Phone Model Here
    Premium Member
    #1

    Google Wallet PIN Falls to Brute Force Hack Attack


    It looks like the Google Wallet service has a security vulnerability that can be exploited to crack your PIN. It's important to note that several things have to lineup to make this happen. Here's how it breaks down, and all of these things must be true for the vulnerability to be exploited:
    1. You have a phone with Google Wallet set up (currently the Nexus S and Galaxy Nexus)
    2. Your phone is rooted
    3. You don’t use lock screen security (PIN, pattern, face unlock, etc)
    4. You lose your phone

    Here's how the exploit works. Basically, Google Wallet stores your pin using a SHA256 hex-encoding. This means all that you need is a a brute-force attack to crack the encryption. You simply need to generate at most 10,000 SHA256 hashes, which would be easy for a smartphone to accomplish.

    Unfortunately, there is no easy way for Google to fix this security flaw. There are at least a couple of viable options for them. One is to offload the PIN security to the banks. However, more than likely the banks are loathe to do this, because it would mean more costs for them, and would also mean you would have to trust your bank's security system more.

    Another idea proposed is to change it from a 4 digit pin to a more secure password with a minimum of 6 digits and a mix of letters and numbers. Unfortunately, this isn't the ideal solution either, since typing in a long password could be time-consuming when you are waiting in line at a check-out counter. Additionally, the long password option could kill it as a viable idea, because it over-complicates the process, which would likely turn-off a lot of consumers.

    Because of these issues, it is unlikely we will see anything done initially to deal with this problem, especially since a number of things must occur for this to be possible. Of course, as more phones get the NFC technology, the risk factor goes up. Ultimately, it really depends upon the user not losing their phone, and/or setting a lock screen on it. It's also obvious to point out that this vulnerability only affects "rooted" users, and while that means quite a few of you guys, it doesn't really affect the vast majority of consumers. Above is a video of the exploit in action. Does this make you less likely to utilize Google Wallet?

    Source: TalkAndroid
    Last edited by dgstorm; 02-09-2012 at 09:30 AM.
  2.  
     
     
     
  3. Master Droid
    Nealius's Avatar
    Member #
    84232
    Join Date
    Jul 2010
    Posts
    363
    Liked
    11 times
    Phone
    Gnex
    #2
    Every cool new toy gets hacked. This is why we can't have cool stuff.
    So I lose my phone it gets hacked. Some one gets to spend the little bit of money I keep on my phone. I'm more bummed that I lost my phone. As I say that I'm going to play with my security option and make sure my funding card is not attached to my wallet account

    Sent from my GummyNex'd Galaxy Nexus!
  4. Senior Droid
    wolstonc's Avatar
    Member #
    229591
    Join Date
    Oct 2011
    Posts
    236
    Liked
    16 times
    Phone
    Samsung Galaxy Nexus
    #3
    How does being rooted or not change things on this?

    Also, I guess I don't worry much, because I wish I didn't have a pin at all. Losing my credit card would still be easier to exploit than this

    Sent from my Galaxy Nexus using DroidForums
  5. Droid Ninja
    johnomaz's Avatar
    Member #
    87119
    Join Date
    Jul 2010
    Location
    Central Valley, California
    Posts
    2,256
    Liked
    395 times
    Phone
    HTC One M8
    #4
    I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.
    -------------------------------
    HTC One M8
    -------------------------------
  6. Team Sourcery
    Chizzele's Avatar
    Member #
    152716
    Join Date
    Dec 2010
    Location
    San Diego CA
    Posts
    2,023
    Liked
    131 times
    Phone
    Sourcerized GN
    DroidForums.net Developer
    #5
    Quote Originally Posted by johnomaz View Post
    I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.
    If someone finds your phone and tries to root it, all info on the phone will be erased including Google Wallet info as part of the rooting process so that is not an issue.

    I am rooted, i use Google Wallet and i don't use any pattern lock. I would hate to lose my phone not because i'm worried about Google Wallet but because i'll have to get another phone. The likelihood of anyone finding the phone and knowing how to use this exploit is very slim. Plus i don't have any card information on GW other then Google gift card..
    Last edited by Chizzele; 02-09-2012 at 12:46 PM.
    Dusty likes this.
  7. Master Droid
    ntrddragn's Avatar
    Member #
    12322
    Join Date
    Dec 2009
    Posts
    863
    Liked
    26 times
    Phone
    Nexus
    #6
    I think there are other concern if you were to lose your phone beside GW. like your emails, contacts pictures. store info about yourself, your work etc...lots of people use email (little use GW) and im pretty sure those emails contains sensitive info. I use GW, have pattern lock, not root (now), and only have the google gift card loaded.
  8. Master Droid
    B-Unit's Avatar
    Member #
    51526
    Join Date
    Mar 2010
    Posts
    297
    Liked
    16 times
    Phone
    Moto Droid 4
    #7
    Quote Originally Posted by johnomaz View Post
    I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.
    I dont understand why having Wallet active doesnt require some type of true security, much like hooking up to an Exchange server with an iPhone requires you to have a PIN. This is a financial instrument Google, not free e-mail. Pull your heads out.
    DROID4: Rooted and OC Hacked
    DROID : SimplyStunning 5.6 1.2 Ghz ULV Kernel
  9. Master Droid
    zomnomnombie's Avatar
    Member #
    182985
    Join Date
    Mar 2011
    Posts
    787
    Liked
    79 times
    Phone
    R2 unit
    #8
    So Google Wallet is like a real wallet? You lose it and you're most likely screwed?

    Sent from my R2 unit using DroidForums
    If we all agree on it, it must be true.[citation needed​]
  10. Droid
    mfendley's Avatar
    Member #
    136923
    Join Date
    Nov 2010
    Posts
    52
    Liked
    3 times
    Phone
    D4, Xoom
    #9
    Even if you meet conditions 1-4 listed above, you should only be out the amount you have loaded on your Google card (assuming that is your default card). Even if you have another card memorized in order to replenish the funds on your Google card, the CCV is not stored. This data would have to be also subjected to the brute force attack, in addition to the pin. This adds another level of complexity.
  11. Droid Ninja
    xeene's Avatar
    Member #
    82269
    Join Date
    Jun 2010
    Location
    usa
    Posts
    1,540
    Liked
    234 times
    Phone
    droid maxx
    #10
    I use Google wallet, I'm rooted and I don't use lock pin. I do have seekdroid installed on my phone. In the event I would lose my phone(VERY unlikely) all I need is access to any internet pc from which I can either wipe my phone completely or turn on gps or wifi and get exact location of it, or access its info with all incoming/outgoing calls and messages. This is really a non issue if you know what you are doing.
    Sony CM-B1201 > Samsung SCH-8500 > Motorola RAZR V3m > Samsung SCH-i760 > Motorola DROID X > HTC Thunderbolt > Samsung Galaxy Nexus/Motorola Droid Razr Maxx > Droid Maxx
Page 1 of 2 12 LastLast

Links

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Similar Threads

  1. Just used Google Wallet
    By BenLand150 in forum Samsung Galaxy Nexus
    Replies: 67
    Last Post: 06-02-2012, 07:26 AM
  2. Google Wallet
    By pabowhunter in forum Samsung Galaxy Nexus
    Replies: 11
    Last Post: 01-29-2012, 02:35 PM
  3. Google Wallet
    By ohcop72 in forum Samsung Galaxy Nexus
    Replies: 8
    Last Post: 12-19-2011, 12:28 PM
  4. Replies: 33
    Last Post: 12-07-2011, 04:00 AM
  5. Facebook Fights Dirty Uses Underhanded Techniques to Attack Google [Video]
    By WoZzY in forum Droid Forums Member News Depot
    Replies: 32
    Last Post: 07-09-2011, 09:03 AM

Search tags for this page

brute force credit card pin

,

droid bionic pin hack

,
droid brute force
,

google finance hack and droid x2

,

google hack attack

,
how to hack android pin
,
how to hack pin google nexus s
,
powered by vbulletin brute force hacking
,
powered by vbulletin brute force program
,

powered by vbulletin how to brute force

,
powered by vbulletin or force
,
powered by vbulletin the force
Click on a term to search our site for related topics.
Find us on Google+