Google is at work on a patch for a security flaw identified in its Wallet mobile payment service, urging consumers to set up a screen lock to secure their Android smartphone against hackers.

Earlier this week, security firm Zvelo revealed that the Google Wallet PIN, the code required to confirm purchases made with Android devices, can be cracked using an exhaustive numerical search. That means if a rooted Android phone without a screen lock is lost or stolen, thieves could access the encrypted file that stores the PIN and exploit the user's Google account.

Tech blog TheSmartphoneChamp subsequently discovered a second method of attack that impacts all Google Wallet users, regardless of whether their Android phone is rooted. This flaw enables thieves to access Google Wallet app settings and tap "Clear data," erasing all Wallet information stored on the device; the next time Wallet is re-opened, it offers the initial setup process again, including entering a new PIN and tying the tap-and-pay service to a Google account. The setup process also enables the thief to re-attach the default Google Wallet prepaid card to the app; as TheSmartphoneChamp notes, Google Wallet is tied to the device itself, not the Google account, it adds the same prepaid card previously attached to the phone, meaning thieves have access to all funds added by the original owner, complete with a new PIN enabling them to easily complete payment transactions.

Google confirmed the security hole, and said it is formulating a solution. "We strongly encourage anyone who loses or wants to sell or give away their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card," Google said in a statement issued to The Verge. "We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone."

Introduced last year, the Near Field Communications-based Google Wallet enables consumers to make purchases by tapping their Android smartphone at 300,000-plus MasterCard PayPass-enabled merchant terminals. Google Wallet also includes support for SingleTap, enabling users to redeem coupons and/or earn rewards points.