Skip to main content

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)



Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Popular posts from this blog

10 URLs to Find Out What Google Knows About You

Google is much more than just a search giant. It is also home to many of your favorite products: Gmail, YouTube, and Chrome, just to name a few. Apart from that, it also offers many products to help you  keep track of your data . Most of these are  hidden deep  inside the My Account dashboard, which many users don’t really know of. These hidden tools  may reveal interesting details  about your usage of Google’s many services. We’ve compiled a list of important Google URLs of some  hidden tools  that carry information of what you did with Google, mostly from the searches that you have made on their many products, the voice searches and typed out Google searches that you have made. Are you ready to  find out what how Google knows about you ? 1.  Google Dashboard Google Dashboard offers  transparency and control over the personal data stored with your Google Account. You can  view  and  manage the data gener...

Wind Turbines

The Bahrain World Trade Center is the first skyscraper to have wind turbines integrated into the structure of the building.Three large wind turbines are suspended between two office towers. The towers are aerodynamically tapered to funnel wind and draw air into the turbines. This airfoil tapering allows the wind to enter the turbines at a perpendicular angle and increases air speed as much as 30 percent in each of the 95 ft wide turbine rotors. The turbines supply about 15 percent of the electricity used by the skyscraper - approximately the same amount of electricity used by 300 homes. Source: www.norwin.dk

Edible water balloons that could get rid of the need for plastic bottles

In case you didn’t know, bottled water is destroying the planet. We know that we need to be drinking plenty of water. It’s important. But the plastic bottles they’re sold in are terrible for the environment. One solution is using reusable bottles that you can fill from any nearby taps instead of buying a new bottle each time. Another solution is much more exciting. A group of engineers from Skipping Rocks Lab have developed a wonderful thing called The Ooho!. It’s a globe filled water that you can pop in your mouth whole. The outer shell is made of algae, so it’s edible and biodegradable. Meaning there’s no need for packaging or plastic – the globes of water are self-contained and ready to consume. Exciting, right? Plus they’re wobbly and they look cool, which is always a bonus. The team have now created a crowdfunding page to make their creation available to the public, with goals of selling The Ooho! at festival and marathons within the next 12 m...