The solution, per Zvelo, is straightforward in theory: PIN verification needs to move into the SE, and the PIN hash and salt should not be stored outside the SE.
Updating the code so that verification runs inside the SE requires getting approval from SE manufacturers, which is not a significant hurdle, according to Zvelo. The bigger challenge is that moving PIN verification into the SE might shift responsibility for the PIN's security from Google to the banks. "If this is in fact the case, then the banks may need to follow their own policies and regulations regarding ATM PIN security which obviously, and rightly, receive a great deal of scrutiny," Rubin wrote.
The banks "may actually choose to accept the risk imposed by this vulnerability rather than incur the financial and administrative overhead of allowing Google to release a proper fix (and thereby potentially put the banks on the hook for the PIN security)," Rubin continued. "Zvelo feels that this would be a grave mistake and would expose users to undue risk."
Zvelo offered five suggestions for Google Wallet users to mitigate the vulnerability:
1. Do not root your phone. Doing so will be one less step for a thief.
2. Enable lock screens. Face Unlock, Pattern, PIN, and Password all increase physical security to the device. Slide, however, does not.
3. Disable USB debugging. When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
4. Enable full-disk encryption. This will prevent even USB Debugging from bypassing the lock screen.
5. Keep your device up-to-date. Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cellphone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.
This article, "Security researchers pick Google Wallet with brute-force attack," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.