Zvelo takes issue with latest Google Wallet update, says service still vulnerable

"> Tweet

The Google Wallet drama is far from over. Late last night Google emailed me to inform everyone that they have restored the ability to issue new prepaid cards to the Wallet. Google also issued a fix that prevents an existing prepaid card from being re-provisioned to another user.

Literally an hour after Google notified me of their changes, the security firm Zvelo, who pointed out the first security vulnerability in Google Wallet, contacted us to say that they still take issue with Google’s comments.

Specifically, Google has stated, “To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”

If you read Zvelo’s new article, you will see the disagreement. They claim that the latest Android OS available for the Samsung Galaxy Nexus is 4.0.2 (ICL53F), which uses a Linux kernel that has a known vulnerability (CVE-2012-0056) that allows a malicious app to gain root access.

More troubling, they say that physical access to a device is no longer required to access Google Wallet data, including the user’s PIN, by brute force cracking it as described in the original hack. They claim a malicious app could use the exploit to gain root access remotely (where there was none previously) and send Google Wallet data to a remote server.

Hopefully Google will address this vulnerability with another update to the Google Wallet app or with a firmware update to the Android OS. We have seen that Google was internally testing Android 4.0.4, but it has been rumored that Android 4.0.5 will be the next version that is pushed out to consumer devices in March.

As always, the best thing you can do to protect your Android device is to use a secure lock screen and only install apps from the official Android Market. Google has their own service called Bouncer that patrols the Android Market and removes malicious apps, but it never hurts to have an added layer of protection like Lookout Security.

It should be noted that we are not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports.

Google also reminds us that just like with any other credit card, you can get support when you need it. They provide toll-free assistance in case someone manages to make an unauthorized transaction or you lose your phone.

We have reached out to Google to see if they will address the latest claims of Zvelo and will update this story when we receive a response.

Via: Google Commerce

Source: Zvelo

Taylor is the founder of Android and Me. He resides in Dallas and carries the Verizon Galaxy Nexus as his daily device. Ask him a question on Twitter or Google+ and he is likely to respond. Tagged#android 4.0.2#Android 4.0.5#google#google wallet#ICL53F#Zvelo .nrelate .nr_sponsored{ left:0px !important; }.nrelate .nr_sponsored{ left:0px !important; } 23 Comments Join the discussion!Sort by DateRating 43txbluesman 20 hours ago Thumb upThumb down +5

I still have faith in this app and will keep using it. I lock screen, get all my apps from the “Android Market” and use Lookout, just as you noted Taylor. Thanks for this updated info.

Reply 28professandobey 6 hours ago Thumb upThumb down 0

Same here except that I use Avast!

Reply KenGGuest 20 hours ago Thumb upThumb down +7

This bug is overblown. If you lose your phone, just like when you lose your physical wallet, the last thing you’re worried about is the cash in it. The bigger issue is replacing the phone and the information inside it. If you’ve lost your wallet, sure, you’d like the money back, but what really worries you is the lost credit cards and driver’s license and other ID that is a hassle and a bigger potential loss.

Reply SuperAndroidEvoGuest 20 hours ago Thumb upThumb down -1

See but it’s not a bug it’s a flaw. That means that it can happen, so Google needs to address this. This is people’s money we are talking about. If Google wants Google Wallet to be mainstream this issue has to be treated seriously. People won’t embrace Google Wallet if this type of press keeps happening.

I have faith in the app but I am not going to use it until this is fixed. There is risk in using Google Wallet right now so to me it’s a risk that I can live without. Better be safe than sorry. I will wait to use Google Wallet once it’s correct & works as it’s intended. To me working as intended means protection of private information also.

Google will fix this & this will be just some growing pains!

Reply FlyerwireGuest 20 hours ago Thumb upThumb down +4

Do you carry around a wallet with credit cards in it?

Infinitely less secure and much more at risk then using Google Wallet.

Reply 94AsakuraZero 19 hours ago Thumb upThumb down +2

true plus is a hassle to order the cards again haha.

anyways the good thing is…

google is taking this seriously, atleast they are not overlooking it, they are not that bad as apple in patching up things like this.

the bad thing,

they patched it up once, and there are easy to spot flaws (for those who know their business ).

but as the article says, COMMON SENSE helps a lot in security, in real life and in the technology one too

Reply 68honourbound68 18 hours ago Thumb upThumb down +2

That’s what I love about Google. They will fix problems. Their actions build good will for the end-user. I still use my GWallet too. I can’t wait for it to be accepted everywhere so I won’t have to bring my credit cards any longer.

M0nkGuest 19 hours ago Thumb upThumb down 0

Totally agree. Its very easy to clone a credit card. You only need to take 2 pictures to do online transactions and a magnetic card reader / writer to do it on a store. One of the most common crimes these days

Reply SuperAndroidEvoGuest 18 hours ago Thumb upThumb down -1

No not really, there is no malware app for my actual wallet. I have had my wallet for years & no one has ever made a malware app to attack it. You know why? BECAUSE it can’t go online or download anything. It’s completely analog.

Nice try though! lol

Yeah INFINITELY less secure. Riiiiiiiiiight! lol

If you are connected to the web, you are at risk! PLAIN & SIMPLE!

Reply 93DroidSamurai 17 hours ago Thumb upThumb down +1

There’s something called a thief, or a robber. Malware attacks your app, a thief/robber attacks you.

SuperAndroidEvoGuest 17 hours ago Thumb upThumb down 0

This is for DroidSam,

It’s going to take a lot more effort for a thief/robber to get my wallet because I can at least fight them off unless they have a gun or some weapon. Also if I do get robbed, the very next thing I am going to do is call my bank & credit card companies to stop all transactions.

With malware the only way you will know if something went down is if you check your accounts on a daily basis or if you have a reputable credit card company that will send you an alert of any suspicious charges/purchases.

So again it’s way easier to get your personal information, money or whatever online/the web then by the old school way of thievery/robbing.

So nice try to you also! lol

The fact of the matter is that cyber crimes are becoming more prevalent than actual old school types of thievery/robberies. Welcome to the 21st century. This isn’t your grandfathers century! Times have changed, if you really think the internet is safe you are a total fool. Cyber crimes are on the rise whether you want to believe it or not. That is FACT!

esper256Guest 17 hours ago Thumb upThumb down 0

There’s no risk. Your credit card info is stored in the secure element of the NFC chip. It is not even accessible to root processes on the phone. In order for a hacker to spend YOUR money you would have to have the following happen.

A) Not set a lock screen password
B) Install an OS build NOT from Google that allows apps with root privs to run.
C) Lose your phone
D) Hacker finds phone
E) Hacker is savvy enough to try an exploit
F) Hacker brute forces through 4 digit PIN (really, this is like saying someone broke into your house through a tin foil door. It’s meant to keep kids out of your wallet.)
G) Through ALL THIS you fail to call Google Wallet and inform them of the loss of your phone.
H) Hacker can spend money on your phone. Of course they should also be worried about getting caught using a stolen phone if you had reported it. So would they even risk trying it?

Reply SuperAndroidEvoGuest 17 hours ago Thumb upThumb down 0

If there is no “risk” then why is this all over the news? The “risk” is real that is why we are even talking about this in the first place.

You could not be any more wrong in your assessment on the issue.

People have done this as reported, people have hacked into the CIA, Pentagon, the Army, and so on and so forth. You really don’t think that those same types of people could do some serious damage to Google Wallet if it ever got mainstream. That is why Google is trying to fix this because they want this to become mainstream.

I want Google Wallet to work, but I want it to be as safe as it can be. I know nothing is 100% safe but it should be a little bit better protected. Once I feel like it is then I will most definitely use it. I have used it & it works extremely well. I just want to feel safer when I use it. I stopped because of all this news floating around! Better be safe than sorry.

Reply esper256Guest 15 hours ago Thumb upThumb down 0

It’s over the news because news journalists are not security experts or software engineers. It’s in the news because someone published a video of brute force cracking a 4 digit PIN and journalists don’t understand what that means. To someone who is a software engineer. We shrug and go, “So?”. It’s like someone posting a video of someone climbing into a house through an open window. It’s not *meant* to be the layer of security. The OS is meant to be the layer of security.

If you don’t thinks so remember this:

Running underneath Android is the linux kernel with the linux security model, which is the same security running a huge number of services in datacenters around the world that house way more important things than your wallet app install (which doesn’t even contain your credit card info).

It’s still way more secure than all mainstream payment methods. It’s just NOT an issue. I know you can’t see it. But it’s not. There was a real issue earlier with the pre-paid cards. That was fixed.

89thekaz 20 hours ago Thumb upThumb down 0

So what’s the newest version of wallet, so I can tell if my g-nex updated correctly..?

Reply 77greeny42 20 hours ago Thumb upThumb down +4

Used wallet yesterday. Not afraid.

Reply 46jsweetser2 19 hours ago Thumb upThumb down +2

This ‘it’s possible’ stuff is getting slightly out of hand. Is it possible to download a file to my phone which could send information to some guy who uses it to root my phone and wait fo rme to use my $10 pre paid wallet account so he can steal it away and laugh out loud?

yes.

Am i worried about it?

no. First off, it’s Google. If any significant damage came from a product they ran, i’m pretty sure they’d recover said damage back to me.

Second, this technology is still so miniscule in it’s application here in America that no sane person would even take the time to put the effort into cracking Google Wallet to make any money. Go to Asia on the other hand, where NFC has been around a long time to the point where even vending machines have the technology, it could be more of an issue.

Reply karimGuest 19 hours ago Thumb upThumb down -3

$100 says the iPhone 5′s NFC payment system is called iWallet

Reply 96spazby 19 hours ago Thumb upThumb down +3

Not worried, as many have noted, a regular wallet is far less secure than this one…

Reply 9Max.Steel 15 hours ago Thumb upThumb down +2

I wouldn’t be surprised if Zvelo is being secretly sponsored/funded by Apple to taint Wallet. They are probably planning on releasing their own version of Wallet in the near future.

Reply 28professandobey 5 hours ago Thumb upThumb down 0

Or Zvelo is connected to Isis, and this is the carriers throwing a fit that their NFC monopoly is facing competition.

Reply Joshua RubinGuest 3 hours ago Thumb upThumb down 0

Very amusing, I promise, I am not trying to hurt wallet, just make it as good as it can be. I am a big Google and Android fan. Definitely not connected to Isis either, but will certainly be looking at their product when it is available.

https://twitter.com/#!/JoshuaRubin/status/170099896135843840

Reply Joshua RubinGuest 3 hours ago Thumb upThumb down 0

I am happy to take questions about this issue too. Some of the commentors here are spot on about the reporting. Sometimes it has been very good, other times the reporters miss the security implications.

Reply Leave a Reply Cancel replyYour email address will not be published. Required fields are marked *

Name *

Email *

Website

Comment

You may use these HTML tags and attributes:

Notify me of follow-up comments by email.

Notify me of new posts by email.

Hotly debated iPhone fanboys not a fan of Samsung Galaxy Note 146 Apple lawsuit targets Galaxy Nexus 112 Fox News’ Shepard Smith rants on AT&T “unlimited” plans 83 HTC's new flagship duo, One X and One S 66 I really wish Android 4.0 would have looked more like Chrome 61 Top commentersMrMrMan   +51

on Apple seeks preliminary injunction against the Samsung Galaxy Nexus in the U.S.

inviolable   +39

on Solve for X: spray-on antenna solution could revolutionize mobile industry

Tristan   +33

on Apple seeks preliminary injunction against the Samsung Galaxy Nexus in the U.S.

Staff © 2012 Android and Me Login

Username

Password

Remember Me

Register | Lost your password?

Register

Username

E-mail

A password will be e-mailed to you.

Log in | Lost your password?

Reset Password

Username or E-mail:

Log in| Register

Powered by SimpleModal Loginimg#wpstats{display:none}