US customers of the Samsung Galaxy Nexus has had access to Google’s NFC based Google Wallet service, which enables instant contactless payments. Google Wallet works with a simple PIN code that is stored on the phone, in order to enable the NFC payment features on the phone, which is connected to bank accounts, loyalty schemes, etc. Even though the PIN code is encrypted, a security firm called Zvelo, figured out a way to get hold of that PIN code, provided the Android phone has been rooted.
Seeing as NFC is still in its infancy on mobile phones, it was only a matter of time before its security vulnerabilities would have been figured out. The problem with the current Android Google Wallet implementation is that the PIN code is not stored on the NFC chip itself, but rather on the phone, which is secured by the Android operating system. Many users of Android devices go through the effort to root their devices, which enables the users to become “superusers” who can then alter the root permissions on the devices. As soon as that phone is rooted, the thief can simply install the Google Wallet Cracker app, and the PIN code will be revealed.
Check out the video below to see how easy it is:
In SA we are still safe, seeing as NFC is not really implemented here yet. But with significant investments from the major credit card companies, and SA banks getting involved with contactless payment systems, we ought to see those NFC chips in the latest phones actually becoming useful soon enough.
Think about it this way – in the future, if you lose your phone, it is as good as losing your debit card.
Source: The Verge