Google’s NFC Wallet comes with fatal flaw which could lose users their credit card numbers

Google Wallet Security: Demo of PIN Exposure Vulnerability

Security researches have found that it is as easy as pie to unlock the Google Wallet app on NFC equipped Android handsets.

Due to the nature of the 4 digit PIN, it is extremely easy to brute force the password from the handset, exposing sensitive information such as not only transaction history, but also credit card numbers.

To get the PIN users need the hash value stored in isolated storage, so this is only a problem if the handset is rooted (unlikely) or stolen or lost (much more likely), making losing the phone akin to losing your actual wallet.

A bigger danger is of a rogue app entering marketplace with a method of achieving privilege escalation. Given the malware problem on the Android marketplace this is more likely than it may at first appear, making it possible for thousands of credit card numbers to be stolen in the future, and of course making Android handsets an even more attractive target for hackers.

The Register reports the issue is very difficult for Google to fix, which may explain Verizon’s concern about security issues with Google’s Wallet app on the Verizon Galaxy Nexus.

The next version of Windows Phone 8 is expected to support NFC, and is expected to support carrier implementations of mobile payments, which are claimed to be more secure than Google’s version.

Read more at the Register here.