Google Wallet PIN Cracked - InformationWeek
10:28 AM
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Google Wallet PIN Cracked

Fix for mobile payment vulnerability could require banks to take over some security responsibility.

When researchers late last year revealed that the Google Wallet app stored sensitive user data in plain text locally on the device, they also gave the app credit for its PIN protection. But now that last line of defense has been exposed by another researcher, who this week released a proof-of-concept (PoC) for cracking the Google Wallet PIN.

Joshua Rubin, senior engineer with Zvelo, posted his PoC that demonstrates how he cracked Google Wallet's four-digit PIN, used to authorize and process mobile-phone payments. The PIN is considered the extra layer of security that a plain, old credit card wouldn't have. But Rubin poked a big hole in that strategy: "With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system," Rubin said in a blog post.

In December, researchers at viaForensics said they had found that the app locally stores some payment card data in plain text, such as the cardholder's name, transaction dates, email address, and account balance.

Google Wallet lets consumers transact credit-card charges, redeem gift cards, and use loyalty membership cards in stores from their phones. To run the app, the users must type in their four-digit PINs when they launch the app.

While Google Wallet hides the full credit-card account number, the last four digits reside in plain text in the app's local SQLite database, viaForensics found. viaForensics also found that the app repels man-in-the-middle attacks, and at the time gave the app credit for being protected by a PIN to conduct transactions with the cards.

Zvelo's Rubin, who posted details on the PoC as well as a video of it, was able to brute-force the PIN, which was a long-integer "salt" plus a SHA256 hash.

Wallet uses near field communication (NFC), based on RFID technology, and it communicates with a so-called secure element (SE) stored in a chip on the device. "It's like the chip and pin model in European credit cards," says Tyler Shields, a security researcher with Veracode.

Read the rest of this article on Dark Reading.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/14/2012 | 5:25:38 AM
re: Google Wallet PIN Cracked
Google responded to the attack uncovered by the smartphonechamp blog over the weekend by temporarily disabling the provisioning of prepaid cards.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll