1. DroidForums.net is currently undergoing a major software upgrade. If you are experiencing any problems logging in please: Contact Us

Google Wallet PIN Falls to Brute Force Hack Attack

Discussion in 'Android News' started by dgstorm, Feb 9, 2012.

  1. dgstorm
    Online

    dgstorm Editor in Chief Staff Member Premium Member

    Joined:
    Dec 30, 2010
    Messages:
    6,850
    Likes Received:
    1,177
    Trophy Points:
    113
    Location:
    Austin, TX

    It looks like the Google Wallet service has a security vulnerability that can be exploited to crack your PIN. It's important to note that several things have to lineup to make this happen. Here's how it breaks down, and all of these things must be true for the vulnerability to be exploited:
    1. You have a phone with Google Wallet set up (currently the Nexus S and Galaxy Nexus)
    2. Your phone is rooted
    3. You don’t use lock screen security (PIN, pattern, face unlock, etc)
    4. You lose your phone
    Here's how the exploit works. Basically, Google Wallet stores your pin using a SHA256 hex-encoding. This means all that you need is a a brute-force attack to crack the encryption. You simply need to generate at most 10,000 SHA256 hashes, which would be easy for a smartphone to accomplish.

    Unfortunately, there is no easy way for Google to fix this security flaw. There are at least a couple of viable options for them. One is to offload the PIN security to the banks. However, more than likely the banks are loathe to do this, because it would mean more costs for them, and would also mean you would have to trust your bank's security system more.

    Another idea proposed is to change it from a 4 digit pin to a more secure password with a minimum of 6 digits and a mix of letters and numbers. Unfortunately, this isn't the ideal solution either, since typing in a long password could be time-consuming when you are waiting in line at a check-out counter. Additionally, the long password option could kill it as a viable idea, because it over-complicates the process, which would likely turn-off a lot of consumers.

    Because of these issues, it is unlikely we will see anything done initially to deal with this problem, especially since a number of things must occur for this to be possible. Of course, as more phones get the NFC technology, the risk factor goes up. Ultimately, it really depends upon the user not losing their phone, and/or setting a lock screen on it. It's also obvious to point out that this vulnerability only affects "rooted" users, and while that means quite a few of you guys, it doesn't really affect the vast majority of consumers. Above is a video of the exploit in action. Does this make you less likely to utilize Google Wallet?

    Source: TalkAndroid
    Last edited: Feb 9, 2012
  2. Nealius
    Offline

    Nealius New Member

    Joined:
    Jul 3, 2010
    Messages:
    362
    Likes Received:
    1
    Trophy Points:
    0
    Every cool new toy gets hacked. This is why we can't have cool stuff.
    So I lose my phone it gets hacked. Some one gets to spend the little bit of money I keep on my phone. I'm more bummed that I lost my phone. As I say that I'm going to play with my security option and make sure my funding card is not attached to my wallet account

    Sent from my GummyNex'd Galaxy Nexus!
  3. wolstonc
    Offline

    wolstonc New Member

    Joined:
    Oct 14, 2011
    Messages:
    234
    Likes Received:
    6
    Trophy Points:
    0
    How does being rooted or not change things on this?

    Also, I guess I don't worry much, because I wish I didn't have a pin at all. Losing my credit card would still be easier to exploit than this

    Sent from my Galaxy Nexus using DroidForums
  4. johnomaz
    Offline

    johnomaz Well-Known Member

    Joined:
    Jul 12, 2010
    Messages:
    2,370
    Likes Received:
    205
    Trophy Points:
    63
    Location:
    Central Valley, California
    I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.
  5. Chizzele
    Offline

    Chizzele Team Sourcery Developer

    Joined:
    Dec 25, 2010
    Messages:
    2,002
    Likes Received:
    17
    Trophy Points:
    0
    Location:
    San Diego CA
    If someone finds your phone and tries to root it, all info on the phone will be erased including Google Wallet info as part of the rooting process so that is not an issue.

    I am rooted, i use Google Wallet and i don't use any pattern lock. I would hate to lose my phone not because i'm worried about Google Wallet but because i'll have to get another phone. The likelihood of anyone finding the phone and knowing how to use this exploit is very slim. Plus i don't have any card information on GW other then Google gift card..
    Last edited: Feb 9, 2012
  6. ntrddragn
    Offline

    ntrddragn New Member

    Joined:
    Dec 6, 2009
    Messages:
    861
    Likes Received:
    6
    Trophy Points:
    0
    I think there are other concern if you were to lose your phone beside GW. like your emails, contacts pictures. store info about yourself, your work etc...lots of people use email (little use GW) and im pretty sure those emails contains sensitive info. I use GW, have pattern lock, not root (now), and only have the google gift card loaded.
  7. B-Unit
    Offline

    B-Unit Member

    Joined:
    Mar 26, 2010
    Messages:
    300
    Likes Received:
    4
    Trophy Points:
    18
    I dont understand why having Wallet active doesnt require some type of true security, much like hooking up to an Exchange server with an iPhone requires you to have a PIN. This is a financial instrument Google, not free e-mail. Pull your heads out.
  8. zomnomnombie
    Offline

    zomnomnombie Active Member

    Joined:
    Mar 25, 2011
    Messages:
    788
    Likes Received:
    36
    Trophy Points:
    28
    So Google Wallet is like a real wallet? You lose it and you're most likely screwed?

    Sent from my R2 unit using DroidForums
  9. mfendley
    Offline

    mfendley New Member

    Joined:
    Nov 12, 2010
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    0
    Even if you meet conditions 1-4 listed above, you should only be out the amount you have loaded on your Google card (assuming that is your default card). Even if you have another card memorized in order to replenish the funds on your Google card, the CCV is not stored. This data would have to be also subjected to the brute force attack, in addition to the pin. This adds another level of complexity.
  10. xeene
    Offline

    xeene Well-Known Member

    Joined:
    Jun 28, 2010
    Messages:
    1,589
    Likes Received:
    147
    Trophy Points:
    63
    Location:
    usa
    I use Google wallet, I'm rooted and I don't use lock pin. I do have seekdroid installed on my phone. In the event I would lose my phone(VERY unlikely) all I need is access to any internet pc from which I can either wipe my phone completely or turn on gps or wifi and get exact location of it, or access its info with all incoming/outgoing calls and messages. This is really a non issue if you know what you are doing.
  11. Tonik
    Offline

    Tonik Member

    Joined:
    Sep 11, 2011
    Messages:
    553
    Likes Received:
    15
    Trophy Points:
    18
    To break in they need physical access to the phone, then they need to install their brute force software. That software requires root to be able to access google wallet on the phone.
Search tags for this page

how to hack the pin on an htc