Significant security flaw in Google wallet

Search This thread

Evangelion01

Senior Member
Dec 25, 2011
159
36
There's quite a significant security flaw in Google wallet at the moment.

Going into application settings and then clearing data for wallet is the same as resetting wallet from within the application, without having to enter a pin. Know what that means? You're able to set up a new password and have access to your prepaid card.

That's right. If a tech-savvy thief has your phone and you don't have a passcode on the lockscreen (possibly because Google's implementation of passcode stuff sucks) or the screen hasn't timed out yet, the thief will have access to whatever funds remain on your Google prepaid card, regardless of the pin you set in the application.

This is yet another reason why Google needs to add the ability to lock out INDIVIDUAL applications with a code or face recognition, not just the friggin' lockscreen. If someone gets your phone after you've entered your lockscreen code/pattern, they have free reign over the device as long as the screen is on. Third party software for this purpose just doesn't work very well at this stage. This functionality needs to be integrated into the OS. Sorry for going off on a tangent.

Basically:
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.
 

bigmike2424

Senior Member
Mar 10, 2010
102
27
That's a good point I don't know if Google wallet is supposed to more secure than a credit card.

If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.

Or I'd just remotely wipe the phone , so they have none of your information on your phone .

Sent from my Galaxy Nexus using XDA App
 

Evangelion01

Senior Member
Dec 25, 2011
159
36
That's a good point I don't know if Google wallet is supposed to more secure than a credit card.

If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.

Or I'd just remotely wipe the phone , so they have none of your information on your phone .

Sent from my Galaxy Nexus using XDA App

Any actual cards that you add to Wallet will of course be removed, but the Prepaid card will still work. How easy would it be to suspend transactions with Google?
 

mDroidd

Senior Member
Aug 27, 2011
1,844
1,362
mappz-development.com
Ouch... report it!

Greets
____________
mDroid - Tapatalk

Phone: LG-P500
ROM: Nitrogen - Beta-V1b
Kernel: custom .35
Theme: ICS (Z25 - paid. ported by me :D)
Tweaks: ALL
Wishlist: Galaxy Nexus :)
 

Ronin09

Senior Member
Aug 27, 2010
236
13
You have to have a passcode to use the wallet feature. I am not following this at all seriously.

To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.

The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.

Try it.
 

Evangelion01

Senior Member
Dec 25, 2011
159
36
You have to have a passcode to use the wallet feature. I am not following this at all seriously.

To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.

The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.

Try it.
You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.
 

theclueless

Senior Member
Jul 30, 2008
518
41
Chicago
You have to have a passcode to use the wallet feature. I am not following this at all seriously.

To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.

The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.

Try it.

try this:

open clear google wallet data, run google wallet again.

it will prompt you for new passcode and link it to the google account on your device.

of course, all the credit card info is wiped, but your google prepaid card can still be added without passcode, so whatever remaining balance you have on it will be usable by whoever activate it
 

ohnuhuh

Senior Member
Feb 13, 2008
80
16
You have to have a passcode to use the wallet feature. I am not following this at all seriously.

The OP explains it perfectly.
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.

That means anyone who gets your phone, even while it's turned off, can follow these steps to remove whatever pin you have set. They can then set up Google Wallet with their own pin and add your prepaid card with all its funds back onto the app and start using it.

To be safe, you'll need to set your lockscreen to use one of the other security types such as pin, pattern, or password, and then hope nobody gets ahold of your phone while the phone itself is unlocked. I don't find face unlock to be very safe at all so I won't even recommend it for protecting Google Wallet funds.
 
Last edited:

ancostel

Senior Member
Jul 21, 2010
96
5
Riverview, FL
to add some other failure of google wallet...somehow ur wallet gets registered w/ ur device...or that's how it looks like...i had a nexus s w/ wallet fully functional and about $12 left on the prepaid card...bought the GN and gave the NS to my wife...fully wiped the device, reinstalled the wallet and activated w/ my wife's account...guess what she got my remaining balance and when i activated mine on the GN i only got the $10...but to be 100% fair it could be something related with the fact that we're not really supposed to have this running on our phone...so might be something related to that, since my NS was on t-mobile and not sprint...hence i was running a "not approved" app...
 

Elganja

Senior Member
Jun 30, 2010
255
24
You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.

I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.

did you submit this issue to google?
 

Evangelion01

Senior Member
Dec 25, 2011
159
36
I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.

did you submit this issue to google?

Nope. How would I go about doing that? Knowing Google, even if we were to inform them today there wouldn't be a fix for at least a month.

Still can't believe that after three years they haven't got a solution allowing you to passcode protect individual applications in the OS. Dumbphones could do that back in 2004!
 

Elganja

Senior Member
Jun 30, 2010
255
24
Nope. How would I go about doing that? Knowing Google, even if we were to inform them today there wouldn't be a fix for at least a month.

Still can't believe that after three years they haven't got a solution allowing you to passcode protect individual applications in the OS. Dumbphones could do that back in 2004!

should be here: http://support.google.com/wallet/bin/static.py?hl=en&page=known_issues.cs (click on "let us know") but it isn't working for me atm
 

player911

Inactive Recognized Developer
Sep 8, 2006
7,952
1,205
Cincinnati
www.SnapSiteAdmins.com
MIUI had a sweet security app based on individual apps. I would lock down my games cause my boy liked to get in there and press buttons aka delete my saves.

I don't know what process it would involve to port this over. But it would be a welcome one.

Galaxy Nexus - 4.0.3 CM9
Asus Transformer - 3.2 Revolver
 

Evangelion01

Senior Member
Dec 25, 2011
159
36
I went ahead and emailed the relevant Google deparment about the issue. I'll keep you all updated if I get a response, but bear in mind that this is Google's rubbish customer service that we're talking about... I'm not getting my hopes up.
 

bp328i

Senior Member
May 22, 2010
2,154
1,196
Tampa Bay
If you lose your phone just log into your Gmail and change the password. Problem solved.
 
Last edited:

bp328i

Senior Member
May 22, 2010
2,154
1,196
Tampa Bay
Yes, problem solved if you can get access to an internet-connected device quickly enough.

I guess I just don't see it as big of an issue as you do.

I mean if you lose your real wallet you have to track down the phone numbers to your credit card companies and call then all one by one. It would be easier and quicker in this day and age to find an internet-connected device.

All my friends and family have internet-connected devices (smart phones) so I could change my Gmail password faster than I could call one credit card company, get through their phone system, get a live person on the phone and cancel the card.

When it comes to money, credit cards or any thing being use as either of the two there will always be flaws that someone will try to exploit. And with this flaw it can be correct/stopped by the end user within 5 - 10 minutes.

But seriously good find on this!
 
Last edited:

Evangelion01

Senior Member
Dec 25, 2011
159
36
I guess I just don't see it as big of an issue as you do.

I mean if you lose your real wallet you have to track down the phone numbers to your credit card companies and call then all one by one. It would be easier and quicker in this day and age to find an internet-connected device.

All my friends and family have internet-connected devices (smart phones) so I could change my Gmail password faster than I could call one credit card company, get through their phone system, get a live person on the phone and cancel the card.

When it comes to money, credit cards or any thing being use as either of the two there will always be flaws that someone will try to exploit. And with this flaw it can be correct/stopped by the end user within 5 - 10 minutes.

But seriously good find on this!

That's true, I was trying to look at the worst case scenario. The flaw itself is pretty serious, but the consequences wouldn't be that great yet. I've only heard of one person who had over $100 on their prepaid card, and I think there are extra measures in place when purchasing larger items? Not sure.

But something as simple as this certainly needs to be fixed before NFC payments go mainstream.
 

bp328i

Senior Member
May 22, 2010
2,154
1,196
Tampa Bay
That's true, I was trying to look at the worst case scenario. The flaw itself is pretty serious, but the consequences wouldn't be that great yet. I've only heard of one person who had over $100 on their prepaid card, and I think there are extra measures in place when purchasing larger items? Not sure.

But something as simple as this certainly needs to be fixed before NFC payments go mainstream.

I agree it is simple and does need to be fixed. They could make a quick fix by having each app that is based off our Gmail accounts require the Gmail password re-entered when an app is setup and not just ask permission.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    There's quite a significant security flaw in Google wallet at the moment.

    Going into application settings and then clearing data for wallet is the same as resetting wallet from within the application, without having to enter a pin. Know what that means? You're able to set up a new password and have access to your prepaid card.

    That's right. If a tech-savvy thief has your phone and you don't have a passcode on the lockscreen (possibly because Google's implementation of passcode stuff sucks) or the screen hasn't timed out yet, the thief will have access to whatever funds remain on your Google prepaid card, regardless of the pin you set in the application.

    This is yet another reason why Google needs to add the ability to lock out INDIVIDUAL applications with a code or face recognition, not just the friggin' lockscreen. If someone gets your phone after you've entered your lockscreen code/pattern, they have free reign over the device as long as the screen is on. Third party software for this purpose just doesn't work very well at this stage. This functionality needs to be integrated into the OS. Sorry for going off on a tangent.

    Basically:
    1) Go into application settings
    2) Clear data for Google wallet
    3) Open wallet and set it back up
    4) Everything remaining on your Google prepaid card can now be used.