The security PIN system that Google Wallet users have to enter to verify transactions has been compromised. Thankfully, the chances of your wallet being used against you is relatively low—assuming you haven't rooted your phone, that is.
Since Wallet saves your PIN in an encrypted file on the phone itself, rather than the secured NFC chip, if your phone falls into the wrong hands, that person could lift your PIN file from the phone and simply crack it using brute force. From there, he'd have access to—and use of—your Wallet account.
Security firm, Zvelo, discovered and reported the issue to Google, but because Wallet's security architecture, the change will require a fundamental rejiggering of the security protocols. Man, talk about an oversight. According to Zvelo,
The lynch-pin, however, was that within the PIN information section was a long integer "salt" and a SHA256 hex encoded string "hash". Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes...This completely negates all of the security of this mobile phone payment system.
Google has issued this statement on the matter,
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN. We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
So, if you are rooted, be sure to take some additional security steps to protect yourself like activating the lock screen, disabling the USB debugging option in settings, and enabling full-disk encryption. Or maybe not losing your phone in the first place. [Zvelo via Android Central via The Verge]