Amazon Fire TV Stick vs Chromecast – XDA TV

There is no doubt that Amazon is a huge player in many markets, and they want to be a huge … more

Fight the Heat and Conserve Battery with EaseUS Coolphone

Memory hungry Android applications are often responsible for making our device … more

Battery Charged in 30 Seconds? Maybe in 2016

Phones and tablets are getting more and more power hungry with each passing generation. Their … more

ZArchive Manages Your File Archives

Today smartphones are quite powerful devices that can handle multiple processes at once. In fact, some of … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Significant security flaw in Google wallet

OP Evangelion01

26th December 2011, 07:31 PM   |  #1  
OP Senior Member
Thanks Meter: 36
 
156 posts
Join Date:Joined: Dec 2011
There's quite a significant security flaw in Google wallet at the moment.

Going into application settings and then clearing data for wallet is the same as resetting wallet from within the application, without having to enter a pin. Know what that means? You're able to set up a new password and have access to your prepaid card.

That's right. If a tech-savvy thief has your phone and you don't have a passcode on the lockscreen (possibly because Google's implementation of passcode stuff sucks) or the screen hasn't timed out yet, the thief will have access to whatever funds remain on your Google prepaid card, regardless of the pin you set in the application.

This is yet another reason why Google needs to add the ability to lock out INDIVIDUAL applications with a code or face recognition, not just the friggin' lockscreen. If someone gets your phone after you've entered your lockscreen code/pattern, they have free reign over the device as long as the screen is on. Third party software for this purpose just doesn't work very well at this stage. This functionality needs to be integrated into the OS. Sorry for going off on a tangent.

Basically:
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.
The Following 6 Users Say Thank You to Evangelion01 For This Useful Post: [ View ]
26th December 2011, 09:23 PM   |  #2  
Member
Thanks Meter: 7
 
94 posts
Join Date:Joined: Mar 2010
That's a good point I don't know if Google wallet is supposed to more secure than a credit card.

If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.

Or I'd just remotely wipe the phone , so they have none of your information on your phone .

Sent from my Galaxy Nexus using XDA App
26th December 2011, 09:36 PM   |  #3  
OP Senior Member
Thanks Meter: 36
 
156 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by bigmike2424

That's a good point I don't know if Google wallet is supposed to more secure than a credit card.

If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.

Or I'd just remotely wipe the phone , so they have none of your information on your phone .

Sent from my Galaxy Nexus using XDA App

Any actual cards that you add to Wallet will of course be removed, but the Prepaid card will still work. How easy would it be to suspend transactions with Google?
26th December 2011, 10:47 PM   |  #4  
mDroidd's Avatar
Recognized Contributor
Thanks Meter: 1,385
 
1,833 posts
Join Date:Joined: Aug 2011
Donate to Me
Ouch... report it!

Greets
____________
mDroid - Tapatalk

Phone: LG-P500
ROM: Nitrogen - Beta-V1b
Kernel: custom .35
Theme: ICS (Z25 - paid. ported by me )
Tweaks: ALL
Wishlist: Galaxy Nexus
27th December 2011, 01:37 AM   |  #5  
Ronin09's Avatar
Senior Member
Thanks Meter: 13
 
231 posts
Join Date:Joined: Aug 2010
You have to have a passcode to use the wallet feature. I am not following this at all seriously.

To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.

The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.

Try it.
27th December 2011, 01:53 AM   |  #6  
OP Senior Member
Thanks Meter: 36
 
156 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by Ronin09

You have to have a passcode to use the wallet feature. I am not following this at all seriously.

To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.

The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.

Try it.

You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.
27th December 2011, 01:55 AM   |  #7  
Senior Member
Flag Chicago
Thanks Meter: 42
 
509 posts
Join Date:Joined: Jul 2008
More
Quote:
Originally Posted by Ronin09

You have to have a passcode to use the wallet feature. I am not following this at all seriously.

To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.

The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.

Try it.

try this:

open clear google wallet data, run google wallet again.

it will prompt you for new passcode and link it to the google account on your device.

of course, all the credit card info is wiped, but your google prepaid card can still be added without passcode, so whatever remaining balance you have on it will be usable by whoever activate it
27th December 2011, 02:35 AM   |  #8  
ohnuhuh's Avatar
Member
Thanks Meter: 11
 
74 posts
Join Date:Joined: Feb 2008
Donate to Me
More
Quote:
Originally Posted by Ronin09

You have to have a passcode to use the wallet feature. I am not following this at all seriously.

The OP explains it perfectly.
Quote:
Originally Posted by Evangelion01

1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.

That means anyone who gets your phone, even while it's turned off, can follow these steps to remove whatever pin you have set. They can then set up Google Wallet with their own pin and add your prepaid card with all its funds back onto the app and start using it.

To be safe, you'll need to set your lockscreen to use one of the other security types such as pin, pattern, or password, and then hope nobody gets ahold of your phone while the phone itself is unlocked. I don't find face unlock to be very safe at all so I won't even recommend it for protecting Google Wallet funds.
Last edited by ohnuhuh; 27th December 2011 at 02:47 AM.
27th December 2011, 03:46 AM   |  #9  
ancostel's Avatar
Member
Flag Riverview, FL
Thanks Meter: 5
 
95 posts
Join Date:Joined: Jul 2010
More
to add some other failure of google wallet...somehow ur wallet gets registered w/ ur device...or that's how it looks like...i had a nexus s w/ wallet fully functional and about $12 left on the prepaid card...bought the GN and gave the NS to my wife...fully wiped the device, reinstalled the wallet and activated w/ my wife's account...guess what she got my remaining balance and when i activated mine on the GN i only got the $10...but to be 100% fair it could be something related with the fact that we're not really supposed to have this running on our phone...so might be something related to that, since my NS was on t-mobile and not sprint...hence i was running a "not approved" app...
27th December 2011, 02:05 PM   |  #10  
Elganja's Avatar
Senior Member
Thanks Meter: 24
 
255 posts
Join Date:Joined: Jun 2010
Quote:
Originally Posted by Evangelion01

You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.

I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.

did you submit this issue to google?

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes