Google’s NFC chip that can turn your phone into a wallet has a major security issue. The security firm Zvelo has found that Google Wallet can be hacked by an app that can be easily found online. Our own Ed Caggiani gave you a detailed outline of the security flaw earlier today. Keep in mind, though, that this security breach can only affect rooted phones. Also, the rooted phone can only be hacked in person (for example, if you lost your phone), and using a PIN lock screen will keep criminals from accessing your phone.
The Next Web contacted Google for a statement on the issue, and received the following response:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
Google is simply encouraging people who have rooted phones to not use Google Wallet. If they are working on a fix to this issue, they are not mentioning it. While it’s true that rooting a phone will disable the security features that Google has in place, Google also openly encourages people to root their phones and make it their own. The easiest fix may be to have the PIN number stored by your bank, and not Google, but that would open a whole new can of worms, including changing Google’s terms of service. We hope that Google will tackle this issue and come out with a security fix in the near future.
source: The Next Web