That's twice. In two days. Yesterday, security firm Zvelo discovered a potential exploit against rooted phones. Today, tech blog TheSmartphoneChamp discovered how to accomplish the same feat on non-rooted phones. This is not good.
What makes the new hack so dangerous is that it requires absolutely no hacking. While yesterday's exploit required you to crack encrypted files, today's requires you to simply clear the data in the app settings. Doing so forces Google Wallet to reset itself and prompt the user for a new PIN. Once that's done, the attacker ties in a Google PrePaid card to the account and presto — all previously available funds are once again accessible. The method has been tested by multiple sources and confirmed by Google itself — this is not a drill.
Over in the States (the NFC-based payment system hasn't rolled out in Australia yet), Google has issued a statement regarding the new method,
We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.
Just like yesterday, you can protect yourself by enabling the lock screen, installing tracking software, encrypting your drive, and not losing your phone.