Google suspends Wallet prepaid cards

Google has stopped creating new prepaid cards for Google Wallet, following the discovery of a security flaw that allows funds to be easily tapped.

Google Wallet is the company’s near field communication (NFC) system that allows electronic payment from Android phones by tapping in a PIN. But according to security firm Zvelo, it’s possible for anyone who gets hold of the phone to access funds from any prepaid Google card linked to the device.

The hacker simply needs to wipe the existing Google wallet data and then link the app to a new Google Wallet account, created with a new PIN. It’s then possible to tap into the previous account and access the funds.

Google’s responded by suspending the creation of new prepaid cards, and says it’ll have a fix for the problem soon.

The vulnerability derives from the fact that critical information such as the user’s account number is stored within the phone’s Secure Element, while the PIN is kept as a salted hash on the device itself.

Zvelo points out that fixing the problem by moving the PIN verification into the Secure Element may cause problems in itself.

“The fear is that Google might no longer be responsible for the security of the PIN, but rather the banks themselves. If this is in fact the case, then the banks may need to follow their own policies and regulations regarding ATM PIN security which obviously, and rightly, receive a great deal of scrutiny,” says the company.

“At present, the decision is in the banks’ hands. They may actually choose to accept the risk imposed by this vulnerability rather than incur the financial and administrative overhead of allowing Google to release a proper fix (and thereby potentially put the banks on the hook for the PIN security).”