There was a brief scare earlier today when it was reported that Google Wallet, Google’s mobile NFC payment solution was vulnerable to a PIN harvesting attack. That only affected rooted devices, but now a second vulnerability has been discovered, and this one affects all Android devices with Google Wallet installed.
If a third party gains access to your device, it is a simple matter to access Google Wallet. After clearing the app data for Wallet, the malicious individual just has to go to the Wallet app, and add the default Google account again and set up a PIN. Since Google’s pre-paid card is tied to hardware, and not to the PIN, any funds you’ve added to that card are accessible to the thief. Yikes.
For the time being, all users of Wallet are advised to set a pattern or PIN lock on their devices to prevent unauthorized access. No payment system is entirely secure; your credit cards certainly don’t require a PIN. Still, users are never going to trust mobile payments if they are vulnerable to these hacks.