Google has disabled parts of its Wallet service as the company looks to address a high-profile security vulnerability.
The company said it has temporarily disabled the use of prepaid cards on its retail platform as it looks to remedy a security flaw which could allow an attacker to steal the PIN number on Google Wallet systems.
“To address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards,” the company said in a blog post. “We took this step as a precaution until we issue a permanent fix soon.”
The announcement follows a report from security researchers at zVelo on possible attack scenarios on Google Wallet. Researchers found that certain pieces of information the mobile handset versions of Google Wallet were left unencrypted.
When accessed, the researchers reported that modified or “rooted” handsets could be accessed by an attacker and key pieces of information could be lifted and then analysed to reveal a user’s PIN number.
Additionally, attackers found that the process allows for the PIN to be uncovered without the need for brute force attacks, negating Google’s own limits on unsuccessful logins.
While a fix is being developed, zVelo has recommended that users avoid rooting their handsets and enable the “lock screen” and “full disk encryption” features as well as disable USB debugging to limit outside access from potential attackers.
Following the disclosure, the company said that a number of mitigating factors will limit the scope and risk of a potential attack.
First, the Google Wallet platform is still early in its deployment phase and is limited to the Galaxy Nexus and Nexus X handsets.
Additionally, the company noted that the rooting process is not supported by Google and in “most cases” the rooting process will cause the Wallet Software to automatically disable itself.
UPDATE: Google has restored the ability to issue new prepaid cards to Wallet, the company announced Feb. 14. As an added precaution, Google also issued a fix that will prevent existing prepaid cards from being re-provisioned to another user.