Google Wallet will temporarily stop provisioning prepaid credit cards to prevent the exploitation of a recently discovered vulnerability which allows crooks to siphon funds out of devices that are lost or stolen.

Google disabled the prepaid capability on February 10, a day after The Smartphone Champ blog exposed what it called a "painfully easy" exploit that allowed people to recover prepaid balances stored in Google Wallet without knowing the personal identification number protecting the app. To exploit the flaw, attackers need do nothing more than clear data from its settings menu and set a new PIN.

"The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device," a blogger with the name Hashim wrote. "In other words, they’d be able to add your card and have full access to your funds."

Osama Bedier, vice president of Google Wallet and Payments, said phones that are accessible only when a user PIN or pattern are entered into the device, aren't vulnerable to the attack. He encouraged all users of the mobile payments service to enable such lock screens, which aren't turned on by default. But he said Google was temporarily disabling provisioning of prepaid cards as a precaution until a permanent fix for the underlying vulnerability is made.

The exploit from The Smartphone Champ came a day after an engineer at security firm Zvelo disclosed a separate method for cracking Google Wallet PINs on Android devices that have been rooted. The vulnerability stems from the decision to store cryptographic hashes in a database that's associated with the app, rather than the handset's Secure Element chip, McAfee researcher Jimmy Shah blogged.

Google's Bedier said Google Wallet users shouldn't root their devices.