This "quite significant security flaw" isn't new, but it is news, having received a bit of a boost in various blogs in recent days - oddly enough, because of the emergence of yesterday's much harder (and so less urgent) brute-force attack on the same PIN. Last December Evangelion01, posting on the xda-developers forum, drew attention to the following weakness in Google Wallet:
- Go into application settings.
- Clear data for Google wallet.
- Open wallet and set it back up.
- Everything remaining on your Google prepaid card can now be used.
This succeeds because Google Wallet stores your card details not in the phone's file system, but safely on the Secure Element. They are therefore unaffected by resetting the application data. However, your PIN is just stored in a file, so it does get wiped. Next time you run it, Google Wallet looks for the missing data, and concludes that it's being run for the very first time. Since Google Wallet is tied to the device itself, rather than to your Google account, it simply asks you to set a new PIN. All you have to do now is think of a number, and...
Bingo! When it next needs a prepaid card, it will find one already present on the Secure Element, and start using it.
There are a few obvious mitigations. First you have to steal an un-screenlocked phone. And not just any phone: it has to be a Samsung Henstooth, with wallet installed, activated, and using prepaid credit. So in that sense, Google Wallet is no more insecure than any other wallet - a little better in fact. Still, it's quite surprising that such a vulnerability should be allowed to get this far.
Update: they've finally fixed it.