This bit of news landed on my feed today morning and left me much distraught. Every time there is the slightest murmur of a security issue around mobile wallets, the tech media and blogs – ever so informed, has to find the nearest tallest tower to shout it out from. It serves as a doubled edged sword in that it both leads to public humiliation at the town square for the brand in question, plus it further spreads FUD and instills a deep sense of mistrust towards that digitization of wallets and ends up being applied quite broadly which is quite unfair.
In this specific instance Google Wallet saw two hacks back to back, the first afflicting rooted phones where a person’s PIN could be derived, and the second requiring no root access at all. Rooting a phone – primarily accomplished to remove the crap installed by the Carrier, is not an issue on the Sprint Nexus S and Galaxy Nexus, which are both Google branded phones with the latest Android version – ICS and very little else. That being said, the first hack affecting rooted phones, in my opinion, was a more serious affliction – because it opened up the wallet in its current state and allowed the person who recovered the PIN to use it any number of times till the legal owner informed Google to shut off Pre-paid access as well as Citi to cancel the card.
The second hack is broader in the sense that it affects every Sprint Nexus S and Verizon Galaxy Nexus phone, whether rooted or not, in that the thief can reset the “USB Storage Data” for the Wallet app and in turn force a reset on the PIN used to access the wallet. Accessing Google Wallet subsequently will prompt the user to create a new PIN (without requiring the entry of the old one – a glaring omission on Google’s part) and subsequently allow the user access in to the Wallet. Once inside, the user can reactivate their Google Prepaid account which unfortunately is a seamless process which does not further require the user to re-authenticate(Bad Google!). This lets you back in to the Pre-paid account in its prior state, with full access to the remaining funds on that pre-paid account. Until the point in time when the legal owner contacts Google to revoke access to those pending funds, the thief can have free reign to those funds. Again, it is unlikely that the Prepaid account have funds over $100, and any further replenishment will require the thief to associate a new Credit Card with the Prepaid account. Additionally, the Citi credit card on account is removed, and the user will have to yet again provision a Citi Credit Card(which requires that they have access to the card information) which is harder to do as GW requires entry of ZipCode and Birth Year, which may be hard to come by for someone who just stole your phone.
In closing, all hyperbole aside, it is not the end of the world. As technologies around utilizing one’s phone as the payment form factor matures, we will come across further evidence of why security and privacy needs to be more than just an afterthought. Google certainly slipped up here and should not have sacrificed security for convenience, especially when we all are still making a case for mobile wallets to an apathetic populi. But from the time this story broke, as each news outlet or block picked up on it, there was less and less mention of “thief has access to remaining funds on the Prepaid account and nothing more” and more of “Good lord! We are all gonna die!”. Let’s put things in perspective people! And will someone think about the children?!
What do you think? Sound off below. And please share using the Share buttons below