PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)

Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

10 URLs to Find Out What Google Knows About You

Google is much more than just a search giant. It is also home to many of your favorite products: Gmail, YouTube, and Chrome, just to name a few. Apart from that, it also offers many products to help you keep track of your data . Most of these are hidden deep inside the My Account dashboard, which many users don’t really know of. These hidden tools may reveal interesting details about your usage of Google’s many services. We’ve compiled a list of important Google URLs of some hidden tools that carry information of what you did with Google, mostly from the searches that you have made on their many products, the voice searches and typed out Google searches that you have made. Are you ready to find out what how Google knows about you ? 1. Google Dashboard Google Dashboard offers transparency and control over the personal data stored with your Google Account. You can view and manage the data gener...

Nine government sites hit by cyber attacks: NIC

The National Informatics Center (NIC) has revealed that as many as nine government websites were defaced by recent cyber attacks. The center further said that the servers, which hosts these government sites, suffer a number of hacking attempts on a daily basis. The websites www.kumbh2010haridwar.gov.in, www.ueppcb.uk.gov.in, www.gov.ua.nic.in/ujn, www.cdodoon.gov.in, www.arunachal.nic.in,www.bee-india.nic.in, www.civilsupplieskerala.gov.in, www.mpcb.gov.in and www.informatics.nic.in were defaced , prompting authorities to ramp up the cyber security safeguards. In an RTI reply, the NIC, which reports to the Ministry of Communications and Information Technology, said that it was impossible for the body to accurately quantify these attacks but they are usually blocked by security controls put in place. The Ministry was asked to provide details of hacking attempts made on the governments websites in the last ten years (2001-11) along with url names of the portal...

Solar car hits U.S. in round-the-world jaunt

Last October, the SolarWorld GT solar-powered car set out from Darwin, Australia on a drive around the world. It has since driven 3,001 kilometers (1,865 miles) across Australia, logged 1,947 km (1,210 miles) crossing New Zealand and been shipped across the Pacific Ocean. This Friday, it will embark on the U.S. leg of its journey, as it sets out across America from the University of California, Santa Barbara. The SolarWorld GT is the result of a collaboration between solar panel manufacturer SolarWorld, and Bochum University of Applied Sciences in Germany. The four-wheeled, two-door, two-seat car gathers solar energy through photovoltaic panels built into its roof, with its solar generator offering a peak performance of 823 watts. Custom hub motors are located in both of the front wheels. The vehicle manages an average speed of 50 km/h (31 mph), with a claimed top speed of 100 km/h (62 mph). In order to demonstrate that solar powered cars needn't be a radical...

Daily Tech News

Search This Blog