The security PIN system that Google Wallet users have to enter to verify transactions has been compromised. Thankfully, the chances of your wallet being used against you is relatively low — assuming you haven’t rooted your phone, that is.
Since Wallet saves your PIN in an encrypted file on the phone itself, rather than the secured NFC chip, if your phone falls into the wrong hands, that person could lift your PIN file from the phone and simply crack it using brute force. From there, he’d have access to — and use of — your Wallet account.
Security firm, Zvelo, discovered and reported the issue to Google, but because Wallet’s security architecture, the change will require a fundamental rejiggering of the security protocols. Man, talk about an oversight. According to Zvelo,
The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes…This completely negates all of the security of this mobile phone payment system.
So, if you are rooted, be sure to take some additional security steps to protect yourself like activating the lock screen, disabling the USB debugging option in settings, and enabling full-disk encryption. Or maybe not losing your phone in the first place. [Zvelo via Android Central via The Verge]