Google Wallet Prepaid Security Flaw Fixed; Brute-Force Issue Not Addressed

[dgstorm]

Just last week we shared a couple of security flaws in Google Wallet with you guys. One was a brute-force hack that required your phone to be rooted to get access to your Google Wallet. The other didn't require your phone to be rooted, nor did it require any real hacking skills from the bad guys. Both of these security issues required that your phone be stolen by the potential crooks and were easily foiled if you simply lock your device.

Since then, Google temporarily disabled the prepaid services while they worked on a fix for that particular security vulnerability. Today, Google shared that they have fixed that issue, and have restored the prepaid services. The "brute-force" hack issue has not been addressed, and likely won't. Google made it clear in their previous statement that they do not consider that vulnerability a big enough (or easy enough to pull-off) flaw, and that users should simply not root their phones if they are going to use Google Wallet. Of course, that won't make very many folks very happy, and the real lesson is to simply set a lock pattern on your phone of some kind. Here is Google's statement regarding the prepaid fix:

Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet. In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers. If you are unable to access your previous prepaid card balance for any reason, please contact our toll-free support for assistance.

Source: TalkAndroid and GoogleCommerce