NFC TimesThe premier source for news, analysis and commentary on
Near Field Communication and all contactless technology

Google has temporarily suspended provisioning of prepaid cards in its Google Wallet, as it implements a fix to prevent a simple hack that would allow unauthorized users to spend prepaid balances on lost or stolen wallet phones.

UPDATE: Google said late Tuesday it had restored the ability to issue new prepaid cards to the wallet after implementing a fix. The fix prevents existing prepaid cards from being reprovisioned by other users, said Google.

“While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers,” said Osama Bedier, vice president for Google Wallet and payments, said in an update to the Google Commerce blog. END UPDATE.

The hack came to light Thursday, which showed how unauthorized users could clear data from the Google Wallet app settings, then set a new PIN and gain access to any unspent balance in the Google Prepaid Card account already on the phone.

The hack could leave wallet phones vulnerable if the legitimate Google Prepaid cardholder lost his phone or had it stolen and hadn’t enabled the phone's screen lock.

“We took this step as a precaution until we issue a permanent fix soon,” Osama Bedier, vice president for Google Wallet and payments at Google, said in a blog post Saturday.

This hack follows a more complex attack revealed Wednesday on the PIN protecting the wallet. It would require a brute-force attack and the hacker would have to have possession of the phone and install PIN-cracking software. Moreover, the device would have to be rooted. Somewhat similar to jail breaking of an iPhone, rooting an Android phone gives users root access to the file system. 

Bedier in his statement said Google Wallet phone users shouldn’t root their devices, because this disables security measures, apparently including safeguards erected to protect the Wallet PIN. “That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device,” said Bedier.

But a thief could root the device after taking the phone, noted the firm that conducted the hack, zvelo, which recommended the wallet PIN be verified in the secure element on the phone, instead of outside the secure chip. This could create logistical problems, however, said the firm, since Google might have to pass responsiblity for keeping the PIN secure to banks, presumably those that have applications in the wallet.

While the two hacks are not considered major threats to the payment applications in the wallet, which remains much more secure than leather wallets and magnetic-stripe cards, the vulnerabilities are getting a lot of play in the tech press and in some mainstream publications, which creates another problem for Google as it seeks to encourage more consumers to use the wallet. Many consumers already have security fears about paying with their smartphones.

Google is facing even more daunting challenges in getting more NFC smartphones into the pockets of users supporting the wallet and encouraging more merchants to accept its applications.

Bedier did acknowledge the company is learning as it goes along in pioneering the NFC wallet.

“Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet.”