Android Security Woes: Google Wallet Threat Bad News for NFC Payments

It’s been a bad week for Google’s Near Field Communications (NFC) based mobile payments service, Google Wallet, and NFC payments in general.

The latest major Android security scare involves Google Wallet, and it’s a serious one. It comes at a time when Google is trying to convince Android owners to feel comfortable with using Google Wallet and their NFC-compatible smartphones to pay for goods and service, instead of using their good ol’ credit or debit cards.

Google first unveiled Google Wallet last May, but the service didn’t launch until September, and it’s only officially available on one Android handset and one U.S. wireless carrier, the high-end Samsung Galaxy Nexus from Sprint, though the service is expected to make it to a wide array of Android devices in the near future.

Earlier this week, security representatives from zvelo posted a blog entry detailing a “brute force attack” that provides them with access to Google Wallet users’ security PINs, assuming those users have “rooted” or “jailbroken” devices. And access to the Google Wallet PINs gives the exploiters access to any stored payment card information. (See video above)

This exploit was bad enough, since it clearly demonstrated the potential to compromise Google Wallet users’ personal information; however, it did require users to root their devices and apparently did not affect Galaxy Nexus users who chose not root their handheld. In other words, the security threat was a real one, but smartphones users were as much to blame for the vulnerability as Google, since the users would have had to choose to root their devices.

But a few days later, another similar exploit was announced that also grants access to Google Wallet PINs, and does not require root access. (See video below.)

From TheSmartPhoneChamp.com:

“All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app.  After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it.  The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device.  In other words, they’d be able to add your card and have full access to your funds.”

Yikes. That can’t be good for Google’s efforts to convince users that Google Wallet and NFC-based mobile payments are safe and secure. It sure makes me wary to jump on the NFC payments bandwagon, but it is worth noting that NFC does have the potential to actually be much more secure than credit cards, since those plastic cards really don’t offer any type of security until owners report them stolen or credit card companies flag accounts for suspicious behavior.

However, that might not matter if the general public gets spooked by high-profile security breaches like this one, and NFC payments never get a chance to prove their worth.

All of this brings to mind my number one smartphone security rule, which I’ve repeatedly stressed in security tips storiesfor all major mobile platforms: Always (ALWAYS) lock your device with a password. If you don’t, you’re simply asking for trouble. If your Galaxy Nexus phone is password protected when it is lost or stolen, this latest Google Wallet exploit wouldn’t likely affect you anyway, even if your handheld was rooted, since nobody would be able to gain access to applications without first unlocking your device.

AS

TheSmartphoneChamp.com via BGR