Google Wallet Hacked Again: This time it's scarier - simple and no root needed

[dgstorm]

[video=youtube;Rh1ytHrhj2E]http://www.youtube.com/watch?feature=player_detailpage&v=Rh1ytHrhj2E[/video]​

Security systems seem to fall quickly with today's tech, but this particular bit of news makes you wonder how such an obvious design flaw made it past Google to begin with. Just one day after we found out about an exploit in Google Wallet that would allow a phone thief to "brute force" hack his way into your mobile wallet account, a far easier method than the previous one has been discovered. In fact, this easier method doesn't even require your phone to be rooted, nor does it require the thief to be very tech-savvy at all. Here's a quote from the Talk Android article with the details,

Basically all individuals have to do to access a user’s funds is clear the data in the app settings— which forces Google Wallet to prompt them to enter a new PIN. After the new PIN is entered, it’s as simple as adding a Google Prepaid Card tied to the device and then there the ability to access any available funds.

That's pretty scary, and what is even more scary is that this has been confirmed by multiple sources, and Google even issued a statement on the issue,

”We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

You can see the exploit in action in the video above. Hmmm... if I wanted to use the Google Wallet service, I think I would consider waiting until Google worked out a fix for this. What do you guys think?

Source: Android.net via TalkAndroid

 

[syndicate0017]

I stated in a thread about this last night that its really not a big deal. Its still safer than losing your wallet. Plus if my phone is lost/stolen, first thing I'm doing is reporting it to Verizon who will block all phone and data access on the device rendering Google wallet useless anyway.

Sent from my Galaxy Nexus using Tapatalk

 

[2THEXTRM]

I dont even keep the paypal app on my phone. Google offering $10 to open an account shows how eager they were to get into the electronic funds biz. Their greed apparently outweighed the security issues of their clients. Glad i dont have a phone capable of using wallet.

Sent from my VTAB1008 using DroidForums

 

[Dusty]

So, once again the lesson to the story is...


PUT A LOCK SCREEN ON YOUR JUNK.

Seems to be some type of a pattern here. Hmmm.
I mean, seriously!? How hard is it for people to understand that if you are going to use your device as a sensitive information access point you may want to AT LEAST lock the front door!

 

[dgstorm]

So, once again the lesson to the story is...


PUT A LOCK SCREEN ON YOUR JUNK.

Seems to be some type of a pattern here. Hmmm.

Very wise advice! And, as you point out... it should be obvious.
I mean, seriously!? How hard is it for people to understand that if you are going to use your device as a sensitive information access point you may want to AT LEAST lock the front door!

This is very wise advice! And, as you pointed out... it should be obvious.

 

[akhenax]

I find it hilarious that users were complaining and hacking their devices and concocting an install process to install Google Wallet.

I never thought I would say this, but Big Red was right all along.:blink:

 

[sb1831]

I find it hilarious that users were complaining and hacking their devices and concocting an install process to install Google Wallet.

I never thought I would say this, but Big Red was right all along.:blink:

True. I remember when everyone was pissed because they thought they Galaxy Nexus was being delays because of Google Wallet. It turns out the app has no place on a phone to begin with and VZW was right.

 

[wolstonc]

Its harder to install Google wallet than it is to hack it. But I still wouldn't call vzw right. They had no idea of this when they decided to block it

Sent from my Galaxy Nexus using DroidForums

 

[Dusty]

I'd be willing to bet the rest of the money I make for the rest of the year that the primary reason VZW was against Google Wallet was because they didn't get a cut in the action. They spend more time and money in trying to lure you into using their bloat than security measures.

 

[syndicate0017]

I'd be willing to bet the rest of the money I make for the rest of the year that the primary reason VZW was against Google Wallet was because they didn't get a cut in the action. They spend more time and money in trying to lure you into using their bloat than security measures.

Exactly. It has nothing to do with a "design flaw" that is easily counteracted by being pro-active and de-activating your phone in the event it's lost or stolen. That's why VZW is trying to create a wallet-like app of their own. They don't get a cut out of Google Wallet.

 

[akhenax]

Is it better to be right for the wrong reason, or wrong for the right reason?

 

[ænyoc]

A lockscreen actually won't help. Simply reflash the rom (or any rom, or even stock odin), install GW and re-initialize it. Your previous funds will be there (or if you have nefarious reasons, the original owner's funds). Your GW account isn't tied to your gmail account. It's tied to your phone's nfc chip. Doesn't matter what email address you use to log into GW with, the same funds will be there.

I learned this when I had to return my original GNex. Setup GW on the new phone and my funds from my original GW account were unavailable and they gave me a new $10, even though I used the same email address. Wiped and reflashed, this time logged in with a different account thinking I'd recoup the $20 that was on my original account ($10 for each activation). No such luck, even though I used a different email address on a fresh rom. It pulled up the same card I had with my other email address... and the $10 was still there. If you sell/gift/lose/return/part with your phone, call them and have them deactivate your GW account.

 

[captdroid]

Is it better to be right for the wrong reason, or wrong for the right reason?

Neither, better to be right for the right reason

 

[Juicemane]

A lockscreen actually won't help. Simply reflash the rom (or any rom, or even stock odin), install GW and re-initialize it. Your previous funds will be there (or if you have nefarious reasons, the original owner's funds). Your GW account isn't tied to your gmail account. It's tied to your phone's nfc chip. Doesn't matter what email address you use to log into GW with, the same funds will be there.

I learned this when I had to return my original GNex. Setup GW on the new phone and my funds from my original GW account were unavailable and they gave me a new $10, even though I used the same email address. Wiped and reflashed, this time logged in with a different account thinking I'd recoup the $20 that was on my original account ($10 for each activation). No such luck, even though I used a different email address on a fresh rom. It pulled up the same card I had with my other email address... and the $10 was still there. If you sell/gift/lose/return/part with your phone, call them and have them deactivate your GW account.

Sorry but you are somewhat incorrect.

Wallet is linked to your Gmail Account, the balance is related directly to your NFC Chip (so you cant scam $10 over and over) but the actual account information is all done through your Gmail account. I had to exchange my first G Nexus and I used wallet on it. When I installed on the new device I installed wallet and lost my old balance. Balance information is routed through the phone and not your google account. However; if you reflash a rom without doing a data wipe, you will still have the lockscreen on... if you do a data wipe, the account information is gone, rendering google wallet useless.

See the point here? Even if you have a balance on Wallet, if you dont sign into the corresponding Google Account, you cannot do anything with the funds.

Put a lock on your device if you use wallet. Case and point. Or... just dont store your credit card info into wallet...

Funny thing about this is most people are pissed about the concept of someone hacking the Wallet, when in reality you only have $10 on it... I would be more concerned about the $600 phone that was lost or stolen, then to worry about some jerk off stealing my free money in my wallet account.

Ignorance is bliss.

 

[Frankiebonez]

I think someone else mentioned this at some point, but its no worse than actually losing your wallet. If it could be more secure thats great, but like I just stated its just like losing your wallet with your credit cards in it. Same sort of scenario has to occur for this to be a real security breach. Also, if you dont put a screen lock on your phone with sensitive and personal information your just being stupid.... sorry, truth hurts!