Google Wallet reactivates prepaid card provisioning
Free newsletter via e-mail
Tools
Google (NASDAQ:GOOG) has restored prepaid card provisioning capabilities to its Google Wallet mobile commerce platform days after patching a vulnerability that left the service open to criminal attack.
"Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet," vice president of Google Wallet and Payments Osama Bedier writes in a Google Commerce blog entry published late Tuesday. "In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we're not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers." Bedier adds that in the event consumers are unable to access their previous prepaid card balance for any reason, they should contact Google toll-free support.
Last week, security firm Zvelo revealed that the Google Wallet PIN, the code required to confirm purchases made with Android devices, can be cracked using an exhaustive numerical search. That means if a rooted Android phone without a screen lock is lost or stolen, thieves could access the encrypted file that stores the PIN and exploit the user's Google account.
Bedier urges consumers against rooting their smartphones. "Google Wallet is protected by a PIN--as well as the phone's lock screen, if a user sets that option," Bedier writes. "But sometimes users choose to disable important security mechanisms in order to gain system-level ‘root' access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That's why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device."
In the wake of Zvelo's discovery, tech blog TheSmartphoneChamp identified a second method of attack that impacts all Google Wallet users, regardless of whether their Android phone is rooted. This flaw enables thieves to access Google Wallet app settings and tap "Clear data," erasing all Wallet information stored on the device; the next time Wallet is re-opened, it offers the initial setup process again, including entering a new PIN and tying the tap-and-pay service to a Google account. The setup process also enables the thief to re-attach the default Google Wallet prepaid card to the app; as TheSmartphoneChamp notes, Google Wallet is tied to the device itself, not the Google account, meaning it adds the same prepaid card previously attached to the phone, granting thieves access to all funds added by the original owner, complete with a new PIN enabling them to easily complete payment transactions.
"We will learn much more as we continue to develop Google Wallet," Bedier notes. "In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don't."
Introduced last year, the Near Field Communications-based Google Wallet enables consumers to make purchases by tapping their Android smartphone at 300,000-plus MasterCard PayPass-enabled merchant terminals. Google Wallet also includes support for SingleTap, which allows users to redeem coupons and/or earn rewards points.
For more:
- read this updated Google Commerce blog entry
Related articles:
Google proclaims Wallet 'safe,' disables prepaid card provisioning
Google working on fix for Wallet security flaw
Google Wallet support expands to AT&T's Galaxy Nexus
Verizon not preloading Google Wallet on Galaxy Nexus smartphone
Google Wallet rival Isis confirms support for Android
SHARE
WITH: