Feb 11 AT 9:32 AM Taylor Wimberly 23 Comments

Google Wallet team responds to hacks, “We are safe enough for mobile phone payments”

google-wallet-video

This week the Google Wallet team was surprised when two different vulnerabilities were discovered. One hack revealed a user’s PIN number on a rooted phone and the other allowed anyone to reset the PIN and gain access to funds on a Google Wallet prepaid card.

Google quickly responded to the first hack by saying users should not use Google Wallet on a rooted device, and late last night they also responded to the second hack by saying they would temporarily disable provisioning of prepaid cards.

Many Android users are now questioning if Google Wallet is safe enough for mobile phone payments. Google responded, “The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today.”

I’ve included Google’s full statement they sent me below. It’s nice to see them address the recent issues so quickly, but I’m still wondering what you guys think. Are you comfortable with using your phone for mobile payments?

Over the last few days we've received questions and concerns about issues related to the security of Google Wallet. People are asking if Google Wallet is safe enough for mobile phone payments. The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today.

First, Google Wallet is protected by a PIN – as well as the phone’s lock screen, if a user sets that option. But sometimes users choose to disable important security mechanisms in order to gain system-level “root” access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device.

Second, we also take concrete actions to help protect our users. For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon.

And just like with any other credit card, you can get support when you need it. We provide toll-free assistance in case you lose your phone or someone manages to make an unauthorized transaction.

Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet. In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.Osama Bedier, Vice PresidentGoogle Wallet and Payments

Source: Google Commerce Blog

Taylor is the founder of Android and Me. He resides in Dallas and carries the Samsung Galaxy S 4 and HTC One as his daily devices. Ask him a question on Twitter or Google+ and he is likely to respond. | Ethics statement

    Most Tweeted This Week

  • Topher

    It’s still much harder to steal via Google Wallet than a plastic card, so I don’t see what the whining is about.

    • http://androidandme.com Taylor Wimberly

      I agree. With a secure lock screen enabled and location tracking software, I would feel more secure if I lost my phone vs losing my wallet.

    • dcds

      It’s secure enough, yes… but makes me wonder why they don’t just request some online verification the first time you set a pin in wallet.

      Even I, when coding an app, code around the possibilities of a user cleaning app data.

    • delinear

      It’s even more secure for me. I’m in the UK and we still don’t have access to it :(

  • Ruben Alvarez

    There is risk in any transaction, even cash. You can be robbed of your cash on the way. People are afraid of the next thing as usual. Eventually this kind of thing will be normal and all the questions and speculation go away. Blogs tend to over blow security flaws anyways. A lot of them just want clicks for ad dollars and they blow little things up. I trust Google with my info, call me naive. Just a new technology that some people are afraid of, and the afraid make the most noise. It will be fine, I personally can’t wait to get an NFC device.

    • Ruben Alvarez

      I re read my comment, I meant blogs in general, not pointing fingers at AndMe. The quality of this blog and site are above average.

  • Michael Martin

    well thanks to them disabling the provisioning of cards, i reset my wallet tonight and cannot get my card back up yet……….amazing

    wish people would learn to grow up and keep their devices safe with them at all times with the obvious exception of if they get robbed.

  • thekaz

    well, just another thing for the iPhone users to try and use to put Android down.. at least until Apple adds NFC payments — then it’ll be the greatest thing in the world.

    I mean, seriously.. no one is going after the physical wallet manufacturers for the security vulnerabilities…

  • MrChaz

    These attacks are exploiting vulnerabilities in Google’s app rather than in the contactless payment process.
    Its a software fix to cover the fact that (as far as I know) these are just fancy magstripe transactions and lack the security available to chip & pin transactions.

  • spazby

    I am not worried

  • rashad360

    Being an early adopter isn’t always rainbows and sunshine… I’m sure all of the kinks with NFC will be worked out eventually

  • greeny42

    Stop manufacturing panic. It’s still safer than a regular wallet or card.

    • greeny42

      the only downside of the system for me is the small number of places that accept NFC payment.

  • txbluesman

    I’m good with it. I lock screen and I have faith in Google.

  • pjax

    They are so defensive. I would have been more satisified if they had said it this way

    “we are well aware of the situation and we are all working very hard to issue the fix as soon as possible. Security is the number one priority for Google Wallet. As a precaution, we have temporarily disabled provisioning prepaid cards. We also understand that a persistent thief can just as easily gain “root” access on compromised devices, so we will fix that vulnerability as well. Google Wallet will be secure on all phones, rooted or not.

    Google Wallet is still more secure than plastic cards or folded wallets, but we urge users to exercise extra precautions until we get the fix. Consider using pin/gesture codes as an added layer of security (we don’t recommend face unlock because it is less secure). Please consider these slight inconveniences while we will be working hard on the fix”

    • dcds

      Me too. Because it’s safer than plastic cc doesn’t mean that you don’t need to improve security in wallet.

  • Hall Lo

    Well i dun see no harm here…. As many have said already the same could be happening to your credit card, if someone got it and just used it… :/ I dunno why so many others are so nervous about it

  • adi wijaya

    bagus he…

  • Kim

    But I thought it was fully ok to totally delete the OS that Google put on my phone… and then just replace it with 1 that I downloaded from some hacker site online somewhere.

    … and my phone will still be entirely bug-free and fully secure.

    No?

    What shocking news!

  • MoSDeeb

    Good to know its being pro actively worked on, but this seems to be taken over board by other tech sites

  • Steven Runciman

    The danger of leaking our personal info to 3rd parties via the internet is a very important issue, if you ask me. Specially for the minors… Imagine that high school students that (for example) have a facebook page, has the danger of informing strangers about your family, your friends, your school, your daily schedule, your home address.. these are critical personal info that could be used against our loved ones. Thats the reason that i only play online games that are credible and safe and they dont ask users for any personal data-such as Jeebboo (www.jeebboo.com). Jeebboo, is an online quiz game that does not requires any personal information (or fee) on behalf of the users/members. This way, i’m assured that my personal data is always safe and sound.

  • leganzish

    Locally Google Wallet is more secure than your plastic cards and leather wallet with lockscreens and PINs, etc. But I don’t think that is the issue that has most people scared. The real security fear (even if not a real vulnerability) is that a rogue app on your phone will access Wallet and upload your credit card numbers to a server in Russia without your knowledge. If you lose your wallet or have it stolen, you typically figure it out pretty quickly and cancel your cards. The rogue app scenario flies under the radar and could leave that account open and accessible until you see your next statement or your CC company notifies you of strange charges.

  1. TopherGuest 3 years ago

    It’s still much harder to steal via Google Wallet than a plastic card, so I don’t see what the whining is about.

  2. There is risk in any transaction, even cash. You can be robbed of your cash on the way. People are afraid of the next thing as usual. Eventually this kind of thing will be normal and all the questions and speculation go away. Blogs tend to over blow security flaws anyways. A lot of them just want clicks for ad dollars and they blow little things up. I trust Google with my info, call me naive. Just a new technology that some people are afraid of, and the afraid make the most noise. It will be fine, I personally can’t wait to get an NFC device.

  3. Michael MartinGuest 3 years ago

    well thanks to them disabling the provisioning of cards, i reset my wallet tonight and cannot get my card back up yet……….amazing

    wish people would learn to grow up and keep their devices safe with them at all times with the obvious exception of if they get robbed.

  4. well, just another thing for the iPhone users to try and use to put Android down.. at least until Apple adds NFC payments — then it’ll be the greatest thing in the world.

    I mean, seriously.. no one is going after the physical wallet manufacturers for the security vulnerabilities…

  5. MrChazGuest 3 years ago

    These attacks are exploiting vulnerabilities in Google’s app rather than in the contactless payment process.
    Its a software fix to cover the fact that (as far as I know) these are just fancy magstripe transactions and lack the security available to chip & pin transactions.

  6. Being an early adopter isn’t always rainbows and sunshine… I’m sure all of the kinks with NFC will be worked out eventually

  7. Stop manufacturing panic. It’s still safer than a regular wallet or card.

  8. I’m good with it. I lock screen and I have faith in Google.

  9. They are so defensive. I would have been more satisified if they had said it this way

    “we are well aware of the situation and we are all working very hard to issue the fix as soon as possible. Security is the number one priority for Google Wallet. As a precaution, we have temporarily disabled provisioning prepaid cards. We also understand that a persistent thief can just as easily gain “root” access on compromised devices, so we will fix that vulnerability as well. Google Wallet will be secure on all phones, rooted or not.

    Google Wallet is still more secure than plastic cards or folded wallets, but we urge users to exercise extra precautions until we get the fix. Consider using pin/gesture codes as an added layer of security (we don’t recommend face unlock because it is less secure). Please consider these slight inconveniences while we will be working hard on the fix”

  10. Well i dun see no harm here…. As many have said already the same could be happening to your credit card, if someone got it and just used it… :/ I dunno why so many others are so nervous about it

  11. adi wijayaGuest 3 years ago

    bagus he…

  12. KimGuest 3 years ago

    But I thought it was fully ok to totally delete the OS that Google put on my phone… and then just replace it with 1 that I downloaded from some hacker site online somewhere.

    … and my phone will still be entirely bug-free and fully secure.

    No?

    What shocking news!

  13. Good to know its being pro actively worked on, but this seems to be taken over board by other tech sites

  14. Steven RuncimanGuest 3 years ago

    The danger of leaking our personal info to 3rd parties via the internet is a very important issue, if you ask me. Specially for the minors… Imagine that high school students that (for example) have a facebook page, has the danger of informing strangers about your family, your friends, your school, your daily schedule, your home address.. these are critical personal info that could be used against our loved ones. Thats the reason that i only play online games that are credible and safe and they dont ask users for any personal data-such as Jeebboo (www.jeebboo.com). Jeebboo, is an online quiz game that does not requires any personal information (or fee) on behalf of the users/members. This way, i’m assured that my personal data is always safe and sound.

  15. Locally Google Wallet is more secure than your plastic cards and leather wallet with lockscreens and PINs, etc. But I don’t think that is the issue that has most people scared. The real security fear (even if not a real vulnerability) is that a rogue app on your phone will access Wallet and upload your credit card numbers to a server in Russia without your knowledge. If you lose your wallet or have it stolen, you typically figure it out pretty quickly and cancel your cards. The rogue app scenario flies under the radar and could leave that account open and accessible until you see your next statement or your CC company notifies you of strange charges.