Google has put the brakes on the use of its prepaid cards for Google Wallet after two hacks were discovered that could steal money from a user’s account.
Osama Bedier, vice president for Google Wallet and Payments, wrote in a blog on Saturday that the company is taking this action temporarily until it can make a more long-term correction.
“To address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards,” Bedier explained. “We took this step as a precaution until we issue a permanent fix soon.”
This move means that existing and new customers of Google Wallet will not be able to use a Google prepaid card to add money to their account. However, they can still apply for and use a Citi-issued MasterCard credit card. The service offers both methods to shore up funds to pay for items via the virtual wallet.
The decision follows two hacks that hit the wild last week, both of which can crack through a user’s PIN, especially if the phone were to be lost or stolen.
Uncovered by researchers at security firm Zvelo, the first hack requires that the mobile device be rooted, a time-consuming and tricky operation unless the hacker is skilled and quick enough.
But the second hack, as described by blogging site The Smartphone Champ, can be performed by anyone simply by resetting the Google Wallet app, entering a new PIN, and then using the Google prepaid card to tap into the user’s funds.
Despite the two hacks and the company’s decision to disable its prepaid card, Google insists that its Wallet service is still a safe way of paying for goods via a mobile phone.
“People are asking if Google Wallet is safe enough for mobile phone payments,” Bedier wrote. “The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today…Google Wallet is protected by a PIN — as well as the phone’s lock screen, if a user sets that option.”
Chiming in on the first hack, security vendor McAfee also threw in some pieces of advice for Google Wallet users:
- Use a lock code/password, swipe pattern, or face unlock.
- Keep your phone close and in your possession. If attackers don’t have physical access to your phone, they can’t install malicious apps or spyware.
- Install antivirus software on the phone to protect against unwanted root exploits and spyware.
Google Wallet may be safe, at least if someone follows security best practices. But the hacks against the service come at a bad time.
As the industry strives to ramp up NFC, or near-field communications, convincing consumers of the safety of paying for items via their mobile phones is a major challenge. And anything that puts a hole in the armor of mobile payments makes that challenge all the more difficult.