Have Fingers, 30 Seconds? You, Too, Can Hack Google Walletby
Mobile payments seem to be the last open front in the war against cash, and yesterday mobile blog TheSmartPhoneChamp highlighted another setback. A video explains a dead-simple way to gain access to funds stored in Google Wallet, a mobile payment system currently available to Nexus S users. By simply clearing the application’s settings, anyone can create a new PIN and enter it to access any funds available on the account’s Google Prepaid Card.
In a statement to the blog Android and Me, Google promised to patch the vulnerability:
“We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”
The flaw highlights how funds loaded into Google Wallet aren’t stored like your Gmail or Google+ account is, ethereal and cloud-based; the balance is tied to your physical device—a trait which, when added to the flaw, makes any money loaded into your futuristic phone wallet just as vulnerable to loss or theft as your real wallet. Which you already carry. Which works fine for most of of humanity.
Mobile payment offerings such as Google Wallet, Wells Fargo’s Nokia trial, and Paypal’s smartphone app all try to get consumers to ditch their wallets in favor of their phones, but have added scant value so far. If funds stored on your smartphone are neither more convenient (who, exactly, carries their phone but not their wallet?) nor more secure (the aforementioned flaw), what’s the incentive to switch to a digital billfold? The solutions chase the problem, but the latter hasn’t materialized yet.