Google Restores Prepaid Card Issuance to Wallet after Plugging Security Hole
Google Wallet chief Osama Bedier late Tuesday said the Web giant had restored the ability to issue new prepaid cards to the wallet after implementing a fix.
The fix prevents existing prepaid cards from being “reprovisioned” by other users.
“While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers,” Osama Bedier, vice president for Google Wallet and payments, said in an update to the Google Commerce blog.
The hack came to light last Thursday, which showed how unauthorized users could clear data from the Google Wallet app settings, then set a new PIN and gain access to any unspent balance in the Google Prepaid Card account already on the phone. Google temporarily suspended issuance of new prepaid cards to the wallet.
The hack could have left wallet phones vulnerable if the legitimate Google Prepaid cardholder lost his phone or had it stolen and hadn’t enabled the phone's screen lock.
“We took this step as a precaution until we issue a permanent fix soon,” Bedier, vice president for Google Wallet and payments, said in his original blog post Saturday.
This hack followed a more complex attack revealed a week ago on the PIN protecting the wallet. It would require a brute-force attack and the hacker would have to have possession of the phone and install PIN-cracking software. Moreover, the device would have to be rooted. Somewhat similar to jail breaking of an iPhone, rooting an Android phone gives users root access to the file system.
Bedier in his original statement said Google Wallet phone users shouldn’t root their devices, because this disables security measures, apparently including safeguards erected to protect the Wallet PIN. “That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device,” said Bedier.
While the two hacks are not considered major threats to the payment applications in the wallet, which remains much more secure than leather wallets and magnetic-stripe cards, the vulnerabilities got a lot of play in the press, which creates another problem for Google as it seeks to encourage more consumers to use the wallet.
Many consumers already have security fears about paying with their smartphones. At present, only one phone officially supports the wallet and few merchants can support the Web giant's SingleTap technology, with both payments and offers at the point of sale.
First Data handles Google's Prepaid Card program.