UPDATED 09:35 EST / FEBRUARY 09 2012

Cracked! Google Wallet PIN Raises Big Security Concerns for Mobile Payments

More people are now enjoying the freedom of shopping without having to bring cash or credit cards because they use their NFC-enabled smartphone, like the Samsung Galaxy Nexus S 4G on Sprint.  To finalize a transaction, a shopper just taps her NFC-smartphone on a PayPass reader and they’re done.

Some people may think that this method is secure, since your credit card cannot be duplicated and no one else but you handles your device, even when you are paying.  But a security firm disproves this sense of false security.

Zvelo Senior Engineer Joshua Rubin pointed out that the problem with Google Wallet on the NFC-enabled Samsung Galaxy Nexus is that the PIN is stored on the mobile device, not on the NFC chip.  NFC chips offer more security compared to your mobile device, so having your PIN stored on your mobile device is crucial.

“Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes,” Rubin wrote in a blog post. SHA refers to Secure Hash Algorithm, which is one of a number of cryptographic hash functions. “This is trivial even on a platform as limited as a smartphone.”

They developed an app that could easily crack your Google Wallet PIN, so if you lose your phone and you’re using Google Wallet, they could use your account to purchase anything they want, then you are left with a tidal wave of bills that you have no idea how you’re gonna pay.

Google hasn’t responded as to what they plan about the security flaw, but Rubin stated that those who have rooted NFC-phones are vulnerable to such an attack.  But just to be safe, activate the lock code of your device so no one can use it without your permission, and don’t lose your phone!

Rising mobile payment security issues

This type of security flaw isn’t something new.  If you can still remember, VeriFone humiliated Square because the card readers they so gladly give their customers were found to be able to be used for skimming or stealing track data on the card’s magnetic strip.  This is worse than having access to a person’s Google Wallet PIN, because the track data can be used to mass duplicate the credit card and create enormous problems for the card owner.

Speaking of VeriFone, they recently launched PayWare Mobile Enterprise for Tablets, “a software solution that, in conjunction with a dongle, enables an iPad 2 to accept NFC payments, sign customers up for loyalty products, and check prices.”  Merchants can access anything across all their devices via the Verifone HQ management software.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU