Google Wallet Hacks – Why the sky is not falling


This bit of news landed on my feed today morning and left me much distraught. Every time there is the slightest murmur of a security issue around mobile wallets, the tech media and blogs – ever so informed, has to find the nearest tallest tower to shout it out from. It serves as a doubled edged sword in that it both leads to public humiliation at the town square for the brand in question, plus it further spreads FUD and instills a deep sense of mistrust towards that digitization of wallets and ends up being applied quite broadly which is quite unfair.

In this specific instance Google Wallet saw two hacks back to back, the first afflicting rooted phones where a person’s PIN could be derived, and the second requiring no root access at all. Rooting a phone – primarily accomplished to remove the crap installed by the Carrier, is not an issue on the Sprint Nexus S and Galaxy Nexus, which are both Google branded phones with the latest Android version – ICS and very little else. That being said, the first hack affecting rooted phones, in my opinion, was a more serious affliction – because it opened up the wallet in its current state and allowed the person who recovered the PIN to use it any number of times till the legal owner informed Google to shut off Pre-paid access as well as Citi to cancel the card.

The second hack is broader in the sense that it affects every Sprint Nexus S and Verizon Galaxy Nexus phone, whether rooted or not, in that the thief can reset the “USB Storage Data” for the Wallet app and in turn force a reset on the PIN used to access the wallet. Accessing Google Wallet subsequently will prompt the user to create a new PIN (without requiring the entry of the old one – a glaring omission on Google’s part) and subsequently allow the user access in to the Wallet. Once inside, the user can reactivate their Google Prepaid account which unfortunately is a seamless process which does not further require the user to re-authenticate(Bad Google!). This lets you back in to the Pre-paid account in its prior state, with full access to the remaining funds on that pre-paid account. Until the point in time when the legal owner contacts Google to revoke access to those pending funds, the thief can have free reign to those funds. Again, it is unlikely that the Prepaid account have funds over $100, and any further replenishment will require the thief to associate a new Credit Card with the Prepaid account. Additionally, the Citi credit card on account is removed, and the user will have to yet again provision a Citi Credit Card(which requires that they have access to the card information) which is harder to do as GW requires entry of ZipCode and Birth Year, which may be hard to come by for someone who just stole your phone.

In closing, all hyperbole aside, it is not the end of the world. As technologies around utilizing one’s phone as the payment form factor matures, we will come across further evidence of why security and privacy needs to be more than just an afterthought. Google certainly slipped up here and should not have sacrificed security for convenience, especially when we all are still making a case for mobile wallets to an apathetic populi. But from the time this story broke, as each news outlet or block picked up on it, there was less and less mention of “thief has access to remaining funds on the Prepaid account and nothing more” and more of “Good lord! We are all gonna die!”. Let’s put things in perspective people! And will someone think about the children?!

What do you think? Sound off below. And please share using the Share buttons below

If you read this far, you should follow me on Twitter here. Connect with me on LinkedIn here.

Board of Advisors at SimplyTapp - creators of Host Card Emulation driving democratization and open access to NFC in Android. Mobile Commerce & Payments Lead at Experian Global Consulting, serving Experian's clients in Banking, Retail, Consumer Credit & Payments. A strategic adviser w/ over 17 years of international Tech & Business Strategy consulting, advising firms in banking, retail & asset mgmt that seek clarity & insight in to the myriad business models around payments, fraud & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , ,
  • Anonymous

    Yes Please the Children!!  

    Cherian, I am pleased to see that you have taken the stance that indeed the sky is not falling.  Moreover, it is my opinion that additional security issues can easily put in place to assure payment options on a phone are secure.  However, from a Google and new product perspective, the digital wallet companies look to make payments better and easier and that means make it as simple as possible.

    So in short, Google perhaps should have included some additional security mechanism but for the first product out of the gate I still think Google did a pretty good job.  Lets see how ISIS, Apple, Facebook…yes FB, along with the others incorporate security into their digital wallets.   Looking forward to it.

    All the best,

    Ted 

  • My concern over here is not the severity of the actual breach but the fact this makes everyone assume that any newcomer to the digital wallet space can’t get their act together, and the incumbent players are happy to highlight it due to blatant self-interest.

    This is not the first time Google didn’t do its homework especially in regards to payments but this reflects the greater community.

  • Bruno

    Does Google know there’s a secure element in the phone, and that they could probably make a good use of it ?! (to store the PIN for example)

    And what about Citi and Mastercard security officers… Fire those guys, they don’t deserve any cent of their salary !

  • Giorgio

    This is what OTT players are about, giants on marketing, very poor and superficial on payments and security!