Square’s credit card reader for iOS/Android devices is pretty awesome – it lets anybody quickly and easily start taking credit payments. But according to Douglass Bergeron, the CEO of competing company Verifone, the device itself isn’t hardware-encrypted, meaning anyone could write an app that strips unprotected info from your card.
Verifone’s smear campaign is impressive, to say the least. They’ve launched a site dedicated to attacking Square and released, for anyone to download, a demo version of a Square skimming app their own engineers developed. (Without the skimming abilities actually built in.) Somehow they fail to mention they’ve got their own competing product in the mobile payments space.
Here’s the reality: In order for your card to get “skimmed” by a fake Square reader, you’d have to hand over your card to the fraudster in the first place to allow it to be scanned. Would you really hand over your credit card to somebody you didn’t trust in the first place? And even if you do get scammed that way, how is it so different from a situation where, you hand a credit card over to a waiter in a restaurant and they secretly skim it in the back? It’s the human element that’s the real problem.
Bergeron thinks Square should recall all their readers until they find a way to secure the device. Square should definitely do everything it can to make the service and devices as secure as possible, but you can keep swiping at places you trust without freaking out, despite Verifone’s best efforts to make that happen.[Verifone via GigaOM]
Cameron
Thursday, March 10, 2011 at 10:59 AMI’ve said from the outset of this Square device that it just seems far to easy for people to skim your details with.
It’s designed for people who wouldn’t traditionally have use for full eftpos machines, which means they’d probably not be a registered business or such a small business that you’d be hard to get any background details on.
You don’t even need to had your card over to this guy though, he could in fact offer you his iPhone and square reader and you could swipe it yourself. This differs from say handing your card over to people to swipe whilst your not looking, it creates a false sense of security.
It would be much simpler to create software to skim cards for iPhone or Android then it would be to manufacture an entire skimming eftpos machine. You’ve already got the hardware, and there is so much documentation on how to write applications for these devices.
Most people wouldn’t be able to spot the difference between a real app and a skimming app for square unless they used it every day. If it’s your first time using it you’ve probably got no idea what you need to do. You could potentially not only capture card magnetic strip details, but also credit card numbers/expiration/CCV combos and even PIN numbers.
I’m not saying that there isn’t dangers in getting your card details swiped off a dodgy shop using an eftpos machine, but these square devices do seem to make it far too easy.
Glenn
Thursday, March 10, 2011 at 2:25 PMAny CC reader is hackable, and can be turned into a skimmer. This happened already where bank-supplied CC machines were hacked into skimmers by fraudsters in the few minutes they were going through the drive-thru!
http://www.watoday.com.au/wa-news/breakthrough-as-two-arrested-over-eftpos-skimming-fraud-20091222-lb77.html
There are also numerous reports of ATM’s being converted into Skimmers as well…
I don’t think any hardware manufacturer is making secure machines yet.
azmikey30
Friday, March 11, 2011 at 3:28 AMThe human element isn’t the problem.
Verifone and Square both ignored the elephant in the room….. the proliferation of malware on the handsets. It’s on PCs today and merely captures anything coming through a USB that looks or smells like a card number. Same thing on the handset.
Square can talk all they want about JP Morgan, and sending texts. That’s all fine and good, but what happens when the guy selling couches at his yard sale processes a transaction and the handset has malware that sends the card data off to the Ukraine while simultaneously the Square application processes a “real” transaction. It will happen and Square has no way to protect against this type of problem because they chose to go the inexpensive route. Does anyone really think the guy selling his couch bothers to put antivirus or malware protection on his handset?
The problem is not a fake app. The problem is data in the clear entering the handset. Verifone did not go far enough in their statement. Instead of going after Square, they could have mentioned Square and all the other stuff that is dangerous. Yes as consumer we are protected against fraud. However, when there is technology available (not just from Verifone) to protect consumers and companies choose not to use that technology for cost or other reasons, they should be called out.
It has been mentioned elsewhere that Verifone’s CEO is appearing as a bully. Perhaps. In my opinion, he showed restraint and going further would have called out Visa and MasterCard for failing to give consumers more secure cards. It’s one thing to call out a start-up. It’s something else to call out a behemoth. Dorsey, however, appears petulant and completely dismissing of the real issue. Either he doesn’t understand, or he doesn’t want to reveal the real problem. Not a chance in the world that I would give my card to someone using something like Square (and there are many other companies using the same readers).
AllenH
Friday, April 29, 2011 at 5:47 AMThank God someone is talking sense. Skimming has been happening forever- Square hasn’t done anything other than give someone the same magnetic-strip reader available in your old tape-deck.
The real problem is the current credit-card formats and system. Why haven’t we moved to a public-key/private-key digital signature method for each transaction? We could stop practically all credit-card fraud if we used proper digital signature and encryption tech.
The real elephant in the room is that the credit-card is long outdated and in serious need of being trashed for a proper secure system of payment.
The first bank to do this effectively and offer an insanely low interest rate (due to lack of fraud) will grow by leaps and bounds. That bank will outpace everyone in the current market doing credit card transactions. I wish I had the cash to start it.
Kate
Wednesday, September 14, 2011 at 2:22 PMDoes anyone know when this will be released in Australia?
George
Wednesday, November 16, 2011 at 2:07 AMThe problem with the Square reader is that it lowers the threshold to skimming to the point where it almost encourages it. Smartphone based card acceptance is spreading becuase it allows very small merchants and private sellers to accept cards without the high costs and hassles of a terminal. If skimming through the Square reader becomes common it will destroy the trust in phone based card acceptance and will deny this convenient low cost solution to the small guy. But the most evil thing about the Square situation is, however, that Visa — who had forced merchants and terminal vendors to spend billions on PCI security — is an investor in Square. That is why they get away with it!
mark
Wednesday, March 14, 2012 at 10:59 AMCouldn’t square just add a security feature that means the device can only be used with authorised software – so the hardware can not be used with unauthorised software.
There must be a programmer out there that can solve this.