The Smartphone Champ spotted the flaw which enables access to Google Wallet simply by resetting the application data on the phone – this reset wipes the stored PIN but saved the card details, meaning a new PIN can be set-p and purchases made immediately.
According to the Register, Google has responded with a statement, providing a phone number to call if your phone is stolen or you resell it. Google can then disable the prepaid card and Wallet.
The application manager on the Android platform has the ability to clear app-caches and wipe all data belonging to the specific app, as well as uninstalling the app itself. The Google Wallet app stores the user’s PIN in a file, so wiping the data wipes the PIN.
However, the card details are stored safely in the Secure Element, so are not wiped when the “application data” is removed.
Running the Google Wallet after clearing its data and makes the app assume that it is being run for the first time, and so requests that the user creates a PIN. The app will then ask to add a prepaid card but find details already installed in the Secure Element and which it then readies for use.
Although neither this flaw nor the related hack news from earlier in the week makes the Wallet any less secure than a normal wallet, with cybersecurity in the forefront of the news at the moment, it is another knock to users trust in mobile payment applications.
Is Google Wallet a step in the right direction to more secure payments or is it opening the floodgates for more fraud?