Google has reopened its Google Wallet prepaid card option, after shutting it down due to two security vulnerabilities that let someone in possession of your phone access your prepaid funds even if you’d cleared all of your data from the app.
Google Wallet allows you to charge purchases using your phone and an near-field communication device. The “Wallet” itself houses either a Citi Mastercard, gift card, or Google prepaid card. The company was forced to disable its 1prepaid card due to a recently uncovered vulnerability that allowed access to the card, even if Google Wallet information had been wiped from the phone.
“Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet,” said Google Wallet and Payments vice president Osama Bedier in a blog post. “In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user.”
The company would not comment on the details of the fix.
Google touts the Wallet as being safer than your traditional leather wallet because it comes with a lock on it, a pin number that when entered gives you access to the credit cards within. The now-corrected vulnerability, however, made it easy for a thief to bypass your pin. If your phone was stolen, all the criminal had to do was wipe the phone’s Google Wallet memory. When the application was re-opened, it would prompt the criminal to create and save a new pin. Once they did that, they could reinstall the Google prepaid card. Why? Because Google associates your prepaid card information with the phone itself, not a specific Google account. Thus, your remaining balance would pop up, and that person could go shopping with your cash.
The company assures its users that it hasn’t found anyone taking advantage of the vulnerabilities since they were publicized.
The second vulnerability, however, has not yet been taken care of and probably never will be. It’s an application that can guess the pin on a rooted or jailbroken phone. It was found a day before the more widespread prepaid card issue was uncovered. Google urges its users not to jailbreak their phones, as Google Wallet cannot be protected on phones that have been tampered with.
Zvelo, the company that discovered this vulnerability, however, made the good point that a phone doesn’t have to be rooted before being stolen. Individuals who know their way around a phone (or can get access to YouTube) can easily unlock the phone and run a similar application to get hold of the pin number. Perhaps this will make Google think twice about simply issuing a warning about the security issues surrounding unlocked phones.