Skip to main content

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)



Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Popular posts from this blog

10 URLs to Find Out What Google Knows About You

Google is much more than just a search giant. It is also home to many of your favorite products: Gmail, YouTube, and Chrome, just to name a few. Apart from that, it also offers many products to help you  keep track of your data . Most of these are  hidden deep  inside the My Account dashboard, which many users don’t really know of. These hidden tools  may reveal interesting details  about your usage of Google’s many services. We’ve compiled a list of important Google URLs of some  hidden tools  that carry information of what you did with Google, mostly from the searches that you have made on their many products, the voice searches and typed out Google searches that you have made. Are you ready to  find out what how Google knows about you ? 1.  Google Dashboard Google Dashboard offers  transparency and control over the personal data stored with your Google Account. You can  view  and  manage the data gener...

Edible water balloons that could get rid of the need for plastic bottles

In case you didn’t know, bottled water is destroying the planet. We know that we need to be drinking plenty of water. It’s important. But the plastic bottles they’re sold in are terrible for the environment. One solution is using reusable bottles that you can fill from any nearby taps instead of buying a new bottle each time. Another solution is much more exciting. A group of engineers from Skipping Rocks Lab have developed a wonderful thing called The Ooho!. It’s a globe filled water that you can pop in your mouth whole. The outer shell is made of algae, so it’s edible and biodegradable. Meaning there’s no need for packaging or plastic – the globes of water are self-contained and ready to consume. Exciting, right? Plus they’re wobbly and they look cool, which is always a bonus. The team have now created a crowdfunding page to make their creation available to the public, with goals of selling The Ooho! at festival and marathons within the next 12 m...

Casio PicapiCamera iPhone app is the world's first to use visible light communication technology

PicapiCamera, developed by Casio, is the world's first iPhone app which uses visible light communication technology. To send and receive data via the app, the message to be sent is encoded using red, green and blue flashing lights and shown on the display. The receiver points their iPhone at the flashing lights and the data is transferred. "There are two approaches to communication using visible light. One is to embed data in the light from illumination sources, by turning it on and off at high speed, as a natural way of communicating information. With that approach, devices use photodiodes. The other approach involves image sensors. A device that captures light is a camera, so the idea is to relate light obtained by a camera to information. We're using the camera approach - visible light communication through image sensors." "When exchanging addresses, this system can send addresses to up to five people, rather than just one-to-one." "If yo...