Google Freezes New Prepaid Cards to Counter Wallet Flaw
Google has stopped issuing new Google Prepaid Cards after last week's disclosures regarding security flaws in Google Wallet on Android phones.
"To address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards," Google Wallet head Osama Bedier wrote on the Google Commerce blog Saturday. "We took this step as a precaution until we issue a permanent fix soon."
Discussions in a developer forum in December revealed that users of stolen or secondhand phones with Google Wallet could access the Google Prepaid Card balance, even if the Wallet app had been cleared of old user information. That's because the card balance is stored on the handset's Secure Element chip, not in the Wallet app itself.
The flaw gained wider publicity Friday thanks to a blog posting and video by The Smartphone Champ blog.
A Google spokesperson explained to SecurityNewsDaily that the company had temporarily blocked the activation of newly purchased Google Prepaid Cards, but balances on already activated prepaid cards would not be affected.
The Google Wallet app uses near-field communication technology to let the user pay for items in stores by tapping or waving the handset at specially designed store checkout terminals. Users can tie their Google Wallet balance to existing credit cards, or can purchase Google Prepaid Cards to top up their balances.
At the moment, Google Wallet is available only on Sprint Nexus S phones in the United States. It will almost certainly be on the Sprint Galaxy Nexus, expected by July.
Bedier's blog posting also took on another Google Wallet security issue, one that had been made public Thursday by researchers at the security firm Zvelo.
"Sometimes users choose to disable important security mechanisms in order to gain system-level 'root' access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones," Bedier wrote. "In most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device."
Zvelo found that the Google Wallet four-digit PIN can be cracked in seconds using a specially designed app on a "rooted" phone. That's a phone in which the operating system has been tweaked to give the user unauthorized access to system files.
The Zvelo researchers said they gave Google advance notice of their findings before they went public.
Despite Bedier's assertions, it's possible to reinstall Google Wallet on a rooted phone. The Zvelo researchers did it, and in fact you'd have to root a Verizon Wireless Samsung Galaxy Nexus to install Google Wallet in the first place, since Verizon Wireless decided not to include the app.
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.