Google Wallet PIN

Sharky Forums


Results 1 to 7 of 7

Thread: Google Wallet PIN

  1. #1
    Great White Shark
    Join Date
    Nov 2000
    Posts
    21,595

    Google Wallet PIN

    Google Wallet pin can be cracked in seconds. Link 1

    Turns out it's not necessary to decrypt the PIN, or even hack into Google's Wallet, just ask the phone nicely and it will let anyone root though its innards. Link 2

  2. #2
    Hammerhead Shark Nabby's Avatar
    Join Date
    Jun 2001
    Location
    Legoland
    Posts
    2,611
    Yeah I heard about this story yesterday and I would be concerned if I were using it. I do question googles testing process if a something like this isn't noticed. Maybe it was noticed and hope but they let it through anywyas.
    Antec Three Hundred Two | Intel DP67BA | Intel 2600k | Corsair CWCH60 | CORSAIR Vengeance 16GB (PC3-12800) | PNY GTX 580 | Samsung 830 256GB SSD | WD RE4 2TB (WD2002FYPS) | Asus Xonar DG Sound | LG Blu-Ray Burner | Windows 7 Ultimate x64

    Work:
    Macbook Pro 15" Retina Display | 8GB Ram | 256GB SSD | Mac OS 10.8

  3. #3
    LOLWUT ImaNihilist's Avatar
    Join Date
    Nov 2001
    Location
    San Francisco
    Posts
    14,034
    I don't get all Google Wallet stuff to be honest. NFC has been around in the form of RFID chips on credit cards for years now and most businesses haven't adopted it. The only two places I can think of are NYC cabs and Whole Foods…and Duane Reade.

    I don't understand why credit card companies don't just create little RFID sticker versions of your card that you can just attach to any phone. I opened a second American Express card, cut it up, and put the RFID tag in the battery compartment to my old BlackBerry when I lived in NYC and used it to swipe in cabs. The only advantage to Google Wallet would be if you have multiple credit cards…I don't know, just doesn't seem worth it.

    IMO, the best implementation of a wireless payment system I've seen so far is a service called Uber that provide private cabs in major cities. You sign up an attach a credit card to your account. When you use the service, it just automatically bills you. No user interaction is required after you've ordered the cab. No fumbling around with a phone trying to get it to scan. Just walk out of the cab and you get an email a few minutes later with the receipt. Square is doing a similar thing, although it's not quite as fluid.

  4. #4
    I don't roll on Shabbos! Timman_24's Avatar
    Join Date
    Aug 2004
    Location
    Urbana, IL
    Posts
    12,648
    It isn't as grim as it seems. The phone must be rooted and it is only available if you physically have the phone. So people that have their phone stolen specifically for this purpose may be in for the same experience as having their wallet stolen. The transaction between the cashier and the phone is still secure.

    I am wary of putting any personal information on my cell phone. People that are entering credit card information and such are more trusting than me.

    Is there a reason Google can't require a 8-12 digit alpha numeric password? No way could a phone crack that. It would take weeks-years.

    8 digit alpha numeric password = ~200 Trillion possibilities
    Last edited by Timman_24; 02-11-2012 at 04:27 PM.
    PC: Corsair 550D
    4280k | Asus Rampage Gene | Mushkin 4x4GB | EVGA 780
    Intel 120GB SSD + 2TB Seagate | Seasonic 660 Plat
    2x Alphacool XT45 | Laing DDC | Bitspower

    Currently playing: Civ 5
    Last Game Beaten: Walking Dead

  5. #5
    LOLWUT ImaNihilist's Avatar
    Join Date
    Nov 2001
    Location
    San Francisco
    Posts
    14,034
    Quote Originally Posted by Timman_24 View Post
    It isn't as grim as it seems. The phone must be rooted and it is only available if you physically have the phone. So people that have their phone stolen specifically for this purpose may be in for the same experience as having their wallet stolen. The transaction between the cashier and the phone is still secure.

    I am wary of putting any personal information on my cell phone. People that are entering credit card information and such are more trusting than me.

    Is there a reason Google can't require a 8-12 digit alpha numeric password? No way could a phone crack that. It would take weeks-years.

    8 digit alpha numeric password = ~200 Trillion possibilities
    If you physically get a hold of someone's phone, it's unlikely that any password will save you. That's the reason that they just do four-digit PINs. The PIN keeps out the noobs.

    Once someone physically gets their hands on your device, any device, it's pretty much game over unless you have a secondary method of authentication and the first method can be revoked.

    The only way a device with a single password could be considered "secure" is if the entire disk is encrypted with a strong password. If it isn't, it's likely someone will be able to piece your password together or find an exploit. Or hell…just trigger a password reset. I mean, you can see their email.
    Last edited by ImaNihilist; 02-11-2012 at 04:38 PM.

  6. #6
    I don't roll on Shabbos! Timman_24's Avatar
    Join Date
    Aug 2004
    Location
    Urbana, IL
    Posts
    12,648
    Quote Originally Posted by ImaNihilist View Post
    If you physically get a hold of someone's phone, it's unlikely that any password will save you. That's the reason that they just do four-digit PINs. The PIN keeps out the noobs.

    Once someone physically gets their hands on your device, any device, it's pretty much game over unless you have a secondary method of authentication and the first method can be revoked.

    The only way a device with a single password could be considered "secure" is if the entire disk is encrypted with a strong password. If it isn't, it's likely someone will be able to piece your password together or find an exploit. Or hell…just trigger a password reset. I mean, you can see their email.
    Perhaps if they have to query a google server to initiate a transaction or view information? Not having the info stored on the actual device would make a difference. You would have to have access to 3G/Wifi though, but practically anyone that would be using this would have that (I doubt a gas station in the boonies would have a google wallet till lol.)
    PC: Corsair 550D
    4280k | Asus Rampage Gene | Mushkin 4x4GB | EVGA 780
    Intel 120GB SSD + 2TB Seagate | Seasonic 660 Plat
    2x Alphacool XT45 | Laing DDC | Bitspower

    Currently playing: Civ 5
    Last Game Beaten: Walking Dead

  7. #7
    Great White Shark
    Join Date
    Nov 2000
    Location
    Alpharetta, Denial, Only certain songs.
    Posts
    9,925
    So...

    Did anybody notice the second issue that came up yesterday in the news?

    You get someones phone, reset the NFC payment information, and re-set it up with a new PIN code. It auto-associates with the same account again, this time with the new code. Pretty serious issue if you ask me.
    Last edited by James; 02-11-2012 at 05:51 PM.

    Crusader for the 64-bit Era.
    New Rule: 2GB per core, minimum.

    Intel i7-9700K | Asrock Z390 Phantom Gaming ITX | Samsung 970 Evo 2TB SSD
    64GB DDR4-2666 Samsung | EVGA RTX 2070 Black edition
    Fractal Arc Midi |Seasonic X650 PSU | Klipsch ProMedia 5.1 Ultra | Windows 10 Pro x64

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •