It may not be out, but it is down. Google Wallet has had a tough week, as multiple security flaws – targeting the pre-paid card portion of the tool – have emerged.
The upshot: Google has “temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon,” according to a blog post by Osama Bedier, vice president, Google Wallet and Payments.
An innovative payments tool, Google Wallet – which debuted in September – is designed to serve both as an online payments method (similar to PayPal) but also as a wave-and-pay tool on smartphones that feature Near Field Communications. In announcing Google Wallet, the company pulled no punches in positioning it as the digital replacement to physical wallets.
Maybe not so fast.
Zvelo, a security research outfit, has disclosed that a brute force attack on a rooted smartphone could reveal the owner’s Google Wallet PIN – which would put the hacker in control of that Google Wallet.
The Smartphone Champ soon revealed a more devastating flaw. Said the researchers there, “The security flaw is painfully easy to do and requires no extra software nor does it require root. All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app. After doing that your Google Wallet app will be reset and will prompt for you to set a new PIN the next time you open it. The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new PIN and log into the app, when they add the Google prepaid card it will add the card that is tied to that device. In other words, they’d be able to add your card and have full access to your funds. “
Google, for its part, insisted: “Google Wallet offers advantages over the plastic cards and folded wallets in use today.”
Bedier, in his blog, added: “Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet. In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.”
Experts appear to believe that, probably, this is simply a bump in the road towards wider Google Wallet deployment. But there also appears to be a gathering sense that Google will need to decisively reassure users about security issues going forward.