Security firm Zvelo has found the PIN that is part of the security for the Google Wallet can be cracked through a numerical search.  The PIN, which is composed of only four digits, was calculated by the firm. In a blog the company claimed the process was “trivial even on a platform as limited as a smartphone”. The blog goes on: “Google Wallet allows only five invalid PIN entry attempts before locking the user out. With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system.”

The firm recommends moving the PIN verification from the handset where it currently resides to the secure element. However Google Wallet users are not at risk from this threat unless they have rooted their handsets, a point made by Google in a response to the security firm. “The Zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN."