Google Wallet a security risk: researchers

NEW YORK Fri Feb 10, 2012 7:19pm EST

Related Topics

NEW YORK (Reuters) - Security researchers said they found a vulnerability in the Google Inc mobile payments platform which is currently available in phones sold by Sprint Nextel Corp.

Mobile payment services that allow consumers to pay by waving their phone at a check-out terminal, instead of using a credit card, have long been available in Japan and some other countries but are only just emerging in the United States.

Isis, a venture of Verizon Wireless, AT&T Inc and T-Mobile USA, is expected to launch an offering to compete with Google but has yet to announce a launch date.

The alleged vulnerability in the Google Wallet was identified by Joshua Rubin, a senior engineer with zvelo, a closely held security firm in Greenwood Village, Colorado.

Rubin developed an app dubbed Wallet Cracker that he says can break the four-digit PIN required to launch the Google Wallet app. He demonstrated how it works in a video on his blog (

Rubin said that he had disclosed his findings to Google and that the company "was able to confirm the issue and agreed to work quickly to resolve it."

Google spokesman Jay Nancarrow in an emailed statement said "We are working to resolve the issue," even as he took issue with the study that prompted the allegations.

"The zvelo study was conducted on their own phone, on which they disabled the security mechanisms that protect Google Wallet by 'rooting' the device," Nancarrow said.

Google, he added, recommends that people not install Google Wallet on "rooted" devices and that they should set up a screen lock as an additional layer of security.

Sprint representatives were not immediately available for comment.

Google's Wallet partners also include Citigroup Inc and payment network MasterCard.

Emily Collins, a Citi spokeswoman, said no Citi cardholder information is stored in the Google Wallet nor are cardholders liable for unauthorized transactions.

Jimmy Shah, a security researcher for security software specialist McAfee, said on Friday that the vulnerability did not appear to be a very easy one to exploit.

But he said it was theoretically possible if a hacker was able to physically steal a user's phone.

Shah said that a hacker would need time to install the Cracker app and to install another piece of malware to disable the phone's security system before being able to run the Cracker app to retrieve the PIN number.

The hacker would also still need the phone itself in order to be able to make payments using the stolen Google Wallet.

"It's a nice theoretical attack but it's not a very simple attack," Shah told Reuters.

McAfee is owned by chipmaker Intel Corp.

(Reporting By Sinead Carew in New York and Jim Finkle in Boston. Editing by Matthew Lewis and Bob Burgdorfer)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (2)
CeleryKills wrote:
I think one the next major concerns should be that Google can not link your spending to your internet activity. Imagine your credit score being based on the websites you visit.

Feb 12, 2012 3:25pm EST  --  Report as abuse
NewsAddiction wrote:
Every single payment system in the world today has multiple vulnerabilities.

Cash is counterfeited. Credit card numbers are stolen en masse. Checks are forged. Bank accounts and personal information is compromised.

Anything new is always especially vulnerable in it’s infancy.

We always need new inventions and innovation in the universe of finance. Perhaps with more limited options we might wake up and realize that our world of money is truly a house of cards.

Feb 12, 2012 5:08pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.