PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (video)

Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

[Thanks to everyone who sent this in.]

Continue reading PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (video)

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (video) originally appeared on Engadget on Thu, 09 Feb 2012 05:07:00 EDT. Please see our terms for use of feeds.

Permalink   |  zvelo  | Email this | Comments

SALESFORCE COM SAIC ROCKWELL AUTOMATION RF MICRO DEVICES RED HAT