Google has issued a fix that changes the behaviour of Google Wallet prepaid cards to prevent abuse. The ability to add new prepaid cards to Google Wallet has been restored, and the mobile payment system is back in business.
Following revelations that an unauthorised user could potentially gain access to funds available in a Google Wallet account, Google took proactive steps to prevent any such abuse while it worked on a fix. Google temporarily disabled provisioning of prepaid cards while it worked on a permanent fix.
The issue was a flaw in the way prepaid cards are managed that would allow an unauthorised user with a lost or stolen Google Wallet smartphone to access and spend funds from the device owner’s Google Wallet prepaid card. If the unauthorised user could get to the device settings and clear the data for the Google Wallet app, they would then be able to create their own PIN and add a new prepaid card. Once the new Google Wallet account and prepaid card were active the existing prepaid card information would also appear because the Google Wallet prepaid card is tied to the device rather than the user.
An update to a blog post from Google explains, “Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet. In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user.”
The post goes on to say that Google is not aware of any abuse stemming from this flaw. Google responded to the discovery of the potential exploit to prevent behavior that might expose Google Wallet prepaid card funds, and ensure the security of Google Wallet.
This fix does not address or resolve the other recently discovered Google Wallet compromise. The other issue involves cracking the PIN on a device that has been rooted. Rooting an Android smartphone also disables security mechanisms, and Google stresses that rooting is strongly discouraged.
If you do root your device, you’re on your own. Google states plainly that Google Wallet is not supported on rooted smartphones.
The ability to access funds from an existing Google Wallet prepaid card is definitely a weakness in the system, and Google should be commended for taking the issue seriously and addressing it so quickly. The reality, though, is that if users would employ the security features at their disposal and use a lockscreen PIN or password to access the Android smartphone, the “attack” would be prevented.
You could just as easily have a wallet or credit card lost or stolen, and you’d have no way to prevent someone from spending the cash in your wallet, or charging up your credit card. Mobile payments from a smartphone are more secure because you can lock the device and prevent abuse even if it is lost or stolen. But, you have to actually use the protection available.