Post Reply

Significant security flaw in Google wallet

OP Evangelion01

27th December 2011, 07:08 PM   |  #21  
Royal2000H's Avatar
Senior Member
Thanks Meter: 26
 
199 posts
Join Date:Joined: Apr 2010
More
Simple fix (force a Google authentication before setting new pin)... but it's low risk too.

Far likelier for someone to steal a credit/debit card, find a wallet, or copy the card's number and security code than for someone to find your phone, KNOW about this wallet data clearing and then use the phone as a card.
28th December 2011, 12:01 AM   |  #22  
ohnuhuh's Avatar
Member
Thanks Meter: 11
 
74 posts
Join Date:Joined: Feb 2008
Donate to Me
More
Quote:
Originally Posted by bp328i

If you lose your phone just log into your Gmail and change the password. Problem solved.

According to the post by someone on the first page this wouldn't help at all, would it? According to that post, the money is tied to the phone itself not the Gmail account. So they could just log in with their own account and still access the money on the phone. Although I've read about people getting replacement phones and transferring their money over.. So I don't really know how all that works for sure.
Last edited by ohnuhuh; 28th December 2011 at 12:04 AM.
28th December 2011, 05:49 AM   |  #23  
Genious's Avatar
Member
Flag D.C
Thanks Meter: 1
 
90 posts
Join Date:Joined: Jun 2010
More
It's really not htat big a deal, you can't load and credit/debit card but the citi one, and if they clear data that card is gone. If someone swipes your phone, my like your wallet you cancel/change your info and take the loss on any cash you might have had in the wallet, I don't see this being a big difference from loosing whatever cash was loaded on the pre-paid card. This is NOT something I would call a serious security flaw, a nuisance maybe. Save all serious security flaw business for when someone makes an app that will let then drain your pre-paid or any other card by bumping there phone against yours, really putting that NFC to good use.
28th December 2011, 06:35 AM   |  #24  
Member
Thanks Meter: 7
 
79 posts
Join Date:Joined: Oct 2009
I don't find this as a big deal myself either, if you have your phone locked they have to get by that first and it is no worse than loosing your wallet not to mention most people wouldn't even know that you can do that if they found your phone...

That said all wallet needs to do is have you set up a pin when you first set up a wallet account and that pin stays with you, it is bound to your gmail, that way they would still need to know your pin when they reset the app. Personally that is how they should do it anyway but it is still relatively new so give it time.
28th December 2011, 08:03 AM   |  #25  
Senior Member
Thanks Meter: 15
 
114 posts
Join Date:Joined: Nov 2009
I think this might have something to do with the app being installed as a user app vs system app. System apps require higher privileges to modify I think. Plus, and I think this is important, if a "tech-savvy thief" get's physical access to your unprotected phone, wallet would be one of your many problems.

I don't know about you but my gmail is my life. If such a thief can access it, it would grand him/her enough access to reset my bank password, car insurance info, my valuable digital data, access to my email list (phishing attacks on people who trust emails that come from me), reset my facebook password, twitter, etc....

also there are many other equally important applications that you might install on your phone that rely on only the phone's security to protect your voluble data. I am sure you can think of more than one.

You also have no idea what a true hacker can do to a piece of technology, such as your phone, if they have unrestricted access to it. for example A hacker might be able to root your phone, dig into the system files for some saved unhashed password, deleted (but not overwritten) data, etc. I saw an article a while back about a few hackers in some university that can pull a password for an encrypted harddrive by reading it off the memory after they freeze it with liquid nitrogen (but I doubt you have anything on your worth that much trouble )

so in short, PUT A PASSCODE ON YOUR PHONE, if you really want to protect the data that is contained within it. The only other choice you have is to keep sensitive data out of your phone.
Last edited by sm_x; 28th December 2011 at 08:05 AM.
28th December 2011, 12:49 PM   |  #26  
bp328i's Avatar
Senior Member
Flag Tampa Bay
Thanks Meter: 586
 
963 posts
Join Date:Joined: May 2010
More
Quote:
Originally Posted by ohnuhuh

According to the post by someone on the first page this wouldn't help at all, would it? According to that post, the money is tied to the phone itself not the Gmail account. So they could just log in with their own account and still access the money on the phone. Although I've read about people getting replacement phones and transferring their money over.. So I don't really know how all that works for sure.

Yes it would help (and stop the use of Google Wallet) because when loging into Google Wallet you have to select the gmail account (which the main gmail account on your phone is listed first) then you get an allow permissions accept page.

If you change your Gmail password then nothing on the phone that is based off your Gmail account works anymore. (I tried before posting) The Google Wallet/Money is based off your Gmail account, but the OP is basing the flaw off the owner of the phone not changing their password after the phone has been lost/stolen. It's great that this was pointed out but not a huge deal.

I have two Galaxy Nexii and have tried and Google Wallet will load my pre-paid card money on either phone as long as I put MY Gmail info in.
28th December 2011, 08:00 PM   |  #27  
Junior Member
Thanks Meter: 0
 
3 posts
Join Date:Joined: Feb 2010
You could always use a program like UAG to PW protect that app if you dont want to PW protect your whole phone.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes