With the advent of mobile payments and more and more users storing sensitive information on their smartphones, security is becoming a greater concern.
That is why the following story is so harrowing: a man’s son was able to reset his Android phone’s password, and all he needed was access to his phone.
The following exploit doesn’t require any knowledge of a user’s Google account; all you would need is access to the person’s phone. A Reddit user recounts the process in detail:
“I just discovered what seems to me a massive security loophole. Please someone tell me if the following makes any sense.
My son was playing on my phone (Galaxy S3). He tried to purchase in app items on Subway Surfer but didn’t know the password. So, he followed the following steps to reset my password from my phone without having to enter any information about the account:
Starting from the screen after you click “buy,”
1. Click the question mark next to the password box when asked to confirm password for a purchase.
2. Click “forgot password.”
3. Click “I don’t know.”
4. Leave the selection on the page at “Confirm password reset on my Android Samsung SCH-I535 phone.”
5. Click “Yes”
6. Click “Allow Password Reset.
7. Enter and confirm new Password.
And that allowed someone with absolutely no knowledge about my Google account, and access only to my phone, to reset a new password for my entire Google account.”
– karcirate (reddit)
This exploit has been around for quite some time, however, now that users realize how easy it is, maybe Google should work on beefing up this loophole.
What can you do to protect against this? Well, someone would need access to your phone in order to make purchases on it, or rest your password and gain access to your account. Putting a lock-code is probably your best bet against strangers. Hopefully the friends you’d allow access to your phone can be trusted enough to not rack up your cell phone bill or mess with your Google account.
Source | Via