

Google Wallet hacked again; new exploit doesn't need root access [video] - kemper
http://www.bgr.com/2012/02/10/google-wallet-hacked-again-new-exploit-doesnt-need-root-access-video/

======
ge0rg
TL;DR: By deleting the Wallet application data from Android prefs you can
assign a new PIN and access the Wallet (e.g. on a stolen phone).

This looks like a typical authentication-done-wrong problem on Google's side
here... Not sure if it really qualifies for the name "hack" though.

~~~
joenathan
This only works if you don't have a lock screen gesture or lock screen pin,
and if you don't have one of those then you must not be concerned about others
having access to your data.

~~~
barrkel
Defense should be defense in depth. Just because I once left my front door
open overnight doesn't mean I don't value all my possessions.

~~~
joenathan
Not setting your lock screen security is not like leaving your front door open
once, it's like not having a front door at all.

~~~
barrkel
Gesture screen lock security is no security at all - smudges mean the screen
can almost always be unlocked at will. More likely is an encrypted phone with
PIN or password entry on startup (that's what I use). But that still leaves
the phone open to use when it's powered up, in standby.

There's a reason why password change dialogs in OSes ask for your previous
password before letting you change it. Just relying on a single layer is
foolhardy. For things as critical as money, you need multiple hurdles.

------
casca
This shows particularly poor design by Google. There are a number of ways that
mobile devices can be compromised and Google cannot account for all of them,
but this is the most basic level.

If you're trying to protect an application from a device that's been stolen,
assume that the attacker has unlocked, physical access. The only platform that
has a claim to a safe lock-screen is Blackberry because they: \- Require the
password before allowing any USB access \- Will wipe the device after 5 failed
password entries by USB or on the console

~~~
tehaugmenter
This is why large scale companies will most likely never move to an Android
based device. Sad but true. Blackberries they control through their BES Server
and set the failed attempts to anything they want. Its like having Active
Directory on a phone system.

~~~
abraham
Android supports device administration which can be used to required
pins/passwords, require encryption, and even remotely whip the device.

[http://developer.android.com/guide/topics/admin/device-
admin...](http://developer.android.com/guide/topics/admin/device-admin.html)

------
mpclark
It's worth noting that this and other recent problems are only with Google's
mobile wallet implementation, not an issue with NFC.

------
cleverjake
Does this only affect the prepaid card, as opposed to the ones that are added
by the user?

