It looks like the Google Wallet service has a security vulnerability that can be exploited to crack your PIN. It's important to note that several things have to lineup to make this happen. Here's how it breaks down, and all of these things must be true for the vulnerability to be exploited:
- You have a phone with Google Wallet set up (currently the Nexus S and Galaxy Nexus)
- Your phone is rooted
- You don’t use lock screen security (PIN, pattern, face unlock, etc)
- You lose your phone
Here's how the exploit works. Basically, Google Wallet stores your pin using a SHA256 hex-encoding. This means all that you need is a a brute-force attack to crack the encryption. You simply need to generate at most 10,000 SHA256 hashes, which would be easy for a smartphone to accomplish.
Unfortunately, there is no easy way for Google to fix this security flaw. There are at least a couple of viable options for them. One is to offload the PIN security to the banks. However, more than likely the banks are loathe to do this, because it would mean more costs for them, and would also mean you would have to trust your bank's security system more.
Another idea proposed is to change it from a 4 digit pin to a more secure password with a minimum of 6 digits and a mix of letters and numbers. Unfortunately, this isn't the ideal solution either, since typing in a long password could be time-consuming when you are waiting in line at a check-out counter. Additionally, the long password option could kill it as a viable idea, because it over-complicates the process, which would likely turn-off a lot of consumers.
Because of these issues, it is unlikely we will see anything done initially to deal with this problem, especially since a number of things must occur for this to be possible. Of course, as more phones get the NFC technology, the risk factor goes up. Ultimately, it really depends upon the user not losing their phone, and/or setting a lock screen on it. It's also obvious to point out that this vulnerability only affects "rooted" users, and while that means quite a few of you guys, it doesn't really affect the vast majority of consumers. Above is a video of the exploit in action. Does this make you less likely to utilize Google Wallet?