Well, well, well! It looks as though Google Wallet users who don't root their Android phones have something to worry about after all! And when you read about the details of this particular flaw, you will slap your head because it's a major bone-headed error on Google's part. Go read The Smartphone Champ for the scoop:
All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app. After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it. The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device. In other words, they’d be able to add your card and have full access to your funds. This vulnerability is particularly bad as it does not require root or an other software in order to gain access to your Google Wallet.
Holy cow! Are you serious? So all I have to do to access someone's Google prepaid card is steal their phone, clear their data and reset the PIN? That is crazy, man. Just crazy. Scott Webster over at Android Guys says that "Google was already aware of the initial problem" and adds that "they will be issuing an update in short order," but, I mean, c'mon, man. This is the tech equivalent of issuing a driver's license written in pencil. No sane person should use Google Wallet until Google gets this fixed.
Google seems to realize that it's made a pretty big oopsie here and has emailed the folks at Android and Me to let us know that they're working to patch this hole with all due haste:
”We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”
You can check out the Smartphone Champ's video here to see this major security flaw for yourself: