Security researchers pick Google Wallet with brute-force attack
Google Wallet users might want to stick to plastic and paper for a while. IT security researchers at Zvelo have discovered that PIN protection behind Google Wallet can be cracked via a brute-force attack in a matter of seconds. Google has been made aware of the problem, but there's no easy fix. In fact, part of securing Google Wallet would require banks taking some responsibility for protecting users, and they may not be amenable to doing so.
<snip>
Why is Google Wallet so seemingly insecure? Part of the problem: Google Wallet doesn't require a longer, more complicated password. According to Zvelo, requiring users to key in a complex password each time they wanted to make a purchase would deter them from using Google Wallet.
The next problem is Google Wallet's use of what's called a Secure Element (SE) for storing and encrypting sensitive information such as credit card numbers. Researchers found it fairly easy to examine the data stored on the SE, which included Unique User IDs (UUID), Google account information, Cloud to Device Messaging account information, Google Wallet Setup status, Card Production Lifecycle (CPLC) data, and PIN information. "The linchpin, however, was that within the PIN information section was a long integer 'salt' and a SHA256 hex encoded string 'hash,'" Rubin wrote.
The brute-force program developed by the team exploits the presence of that hash and salt to flawlessly crack the Google Wallet PIN.
<snip>
http://www.infoworld.com/t/mobile-security/security-researchers-pick-google-wallet-brute-force-attack-186140