• by Laurie Sullivan , Staff Writer @lauriesullivan, December 14, 2011

Consumers typically don't like the idea of being targeted by ads based on behavior because they believe it violates their privacy.  But a recent study from security firm ViaForensics on Google Wallet, the electronic payment system, suggests consumers could have concerns other than just being followed around the Internet and being targeted with ads.

While Google Wallet does store credit card numbers securely and uses near field communication (NFC) to make the transaction, it also leaves personal information easily accessible. ViaForensics researcher conducted the study on a rooted NFC-enabled Nexus S 4G phone, which means the analyst had control of portions of the device most thieves would not have. I guess that would depend on whether the thief was a techno geek.

The research suggests Google Wallet does a good job in safely storing passwords, but it does not encrypt credit card data safely. It writes unencrypted database files containing payment transaction history, including account numbers, balances, and credit limits.

The application also created an image of a credit card that could provide data to carry out a "social-engineering attack" against the consumer or the provider. Connecting the data on the phone with data found online about the owner of the phone, such as an address, would make the thief well-armed, according to the report.

Google does require a personal identifiable number (PIN) to gain access to information and authorize payments, noting the application locks after use and when the phone screen goes black.  But "the amount of data that Google Wallet stores unencrypted on the device is significant," according to the research.

The ViaForensics research made Google aware of the security holes. Google sent an updated build of Google Wallet for additional testing, which the company explains in a summary. Some holes have been plugged.