Google has stopped issuing pre-paid cards for its Google Wallet mobile wallet scheme, after security researchers found at least two flaws in the system.
Google has stopped provisioning pre-paid cards for its mobile wallet scheme, after security researchers found multiple flaws in the system. Image credit: Marguerite Reardon/CNET News
In a blog post on Saturday, Google Wallet chief Osama Bedier said the company is suspending its pre-paid card scheme — the only way to load credit onto an Android phone with Google Wallet, apart from using a special Citi Mastercard.
"To address an issue that could have allowed unauthorised use of an existing pre-paid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards," Bedier wrote. "We took this step as a precaution until we issue a permanent fix soon."
– Osama Bedier , Google
We took this step as a precaution until we issue a permanent fix soon.
On Wednesday, researchers at the security firm zveloLABS said a brute-force attack could reveal the PIN code for a user's Google Wallet. A day later, the Smartphone Champ blog reminded people of a flaw found in December, in which simply clearing the data for Google Wallet within the phone's application settings makes it possible to reset the PIN and use all the remaining pre-paid funds.
The brute-force attack can only be carried out on rooted devices, where people have modified the phone to install an unofficial build of Android. The data-clearing attack is potentially much more serious, as all it requires is a lost or stolen Android phone with a working Google Wallet app and no lockscreen passcode.
Bedier said the move is an example of Google taking "concrete actions" to protect its users. He also said that Google strongly discourages users from rooting their Android phones if they want to use Google Wallet, "because the product is not supported on rooted phones".
"That's why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device," Bedier said, while also insisting that Google Wallet is "safe enough for mobile payments".
Mobile wallet scheme
Google launched its mobile wallet scheme in the US in September for Android phones that have near-field communication (NFC) chips. The Google Wallet app so far works only with the Sprint Nexus S 4G and Galaxy Nexus phones, and has not yet rolled out in other countries.
The UK has its own mobile wallet scheme under development, which is being led by the mobile operators here rather than phone OS providers.
Despite being common in places such as the UK, chip-and-PIN cards are yet to go mainstream in the US. As Google Wallet uses both a secure element and a PIN, it is arguably more secure than many traditional credit cards in that country.
"Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet," Bedier said. "In the meantime, you can be confident that the digital wallet you carry provides defences that plastic and leather simply don't."
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
