Google has patched a hole in Google Wallet that could’ve allowed someone to access a user’s funds simply by resetting the PIN and using a prepaid card.
The company said yesterday it has issued a fix that now prevents a prepaid card from being re-provisioned to another person. It has also restored the ability to issue new prepaid cards following a move on Monday to disable the use of such cards.
Osama Bedier, vice president of Google Wallet and Payments, said that he wasn’t aware of any actual incidents of people abusing the prepaid cards or Wallet PIN, but “we took this step as a precaution to ensure the security of our Wallet customers.”
Bedier further advised users unable to access their previous prepaid card balance to contact Google support.
Two hacks uncovered last week prompted Google’s actions as they raised concerns about the security of the Google Wallet service.
The first hack, discovered by security firm Zvelo, could’ve let a stranger access the user’s PIN. This hack, however, required that the mobile device be rooted, a process that can take a fair amount of time and skill, and not something that could easily be done on the fly.
But the second hack, described by blogging site The Smartphone Champ, was more alarming in that it could be performed by anyone. Simply resetting the Google Wallet service, entering a new PIN, and then using the existing prepaid card could’ve given a stranger open access to the user’s funds.
A lost or stolen phone without a screen lock would be especially vulnerable, particularly to the second hack, which could be performed in a matter of minutes.
Google did respond to the hacks in a reasonable amount of time and took the right precautions by disabling the prepaid card access before it created a fix. And the company has insisted that the overall security of Google Wallet is solid, in many ways safer than using a conventional credit card to pay for items.
“Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet.” Bedier wrote. “In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.”
Bedier is right in saying that paying for items via your mobile phone will become more common. But so far the technology is off to a slow and rough start.
The requisite NFC (near-field communications) technology is so far only available in a couple of
Android phones. Google itself has seen a slow adoption for Google Wallet. Combine that with the recent hacks, and some have wondered if the company may be forced to rethink its approach to the mobile payments service.
Ultimately, it’s also up to Google and the rest of the industry to ensure that the technology is safe and secure. Surveys conducted about NFC have revealed security as the number one concern among consumers. Hacks like the ones discovered last week will inevitably increase those concerns, no matter how quickly companies are able to fix them.