The security experts at zVelo have discovered a vulnerability in Google Wallet that allows them to “easily reveal” users’ PINs. If a Google Nexus is rooted, Google Wallet’s PIN verification system can be cracked using a brute force attack. zVelo said on Wednesday that it immediately reported its findings to Google, and the company “agreed to work quickly to resolve it,” although the researchers said Google “ran into obstacles.” To fix the problem, the PIN verification must be moved into the secure element of the NFC chip in a device, however to do so Google must apparently coordinate with banks. Moreover, changing the way a PIN is stored will also change which company is responsible for its security. Read on for more.
If users refrain from rooting their devices, enable a passcode to lock their device, disable USB debugging and enable Full Disk Encryption, they will be better protected from a possible attack. Google released a statement to TheNextWeb and ensures users that the vulnerability only affects rooted devices. “We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone,” said a company spokesperson.