Article by: Rick Broida, of BNET
The Square, a smartphone-powered gizmo that allows merchants to accept and process credit-card payments for next to nothing. BNet was so fond of it, in fact, that they named it one of the top business gadgets of 2010.
So imagine everyone’s surprise when Verifone CEO Douglas Bergeron released an open letter ? and set up an entire Web site ? citing ?a serious security flaw that Square has overlooked that places consumers in dire risk.?
What?s the problem? According to Bergeron, the Square hardware (which plugs into your phone?s headphone jack) is easily hacked, meaning criminals can ?turn the device into a skimming machine in a matter of minutes.?
Scary, right? Well, yes, until you look at the facts:
- VeriFone is a Square competitor, a Goliath to tiny upstart David. It would be one thing if Visa or MasterCard had raised concerns about Square security, but when a competitor does it, you can?t help but question the motives.
- Similarly, it can?t be a coincidence that Verifone?s letter arrived just a week or so after Square announced that it was eliminating the 15-cent fixed transaction fee on credit-card payments. The industry standard: 30-45 cents per transaction.
- As Square CEO Jack Dorsey rightly pointed out in his response to Verifone, credit-card fraud is not new. ?If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.? Furthermore, banks don?t hold consumers responsible for fraudulent transactions, regardless of how they occur.
- Bergeron?s letter may be addressed to ?the industry and consumers,? but there?s no mistaking its intent: to frighten consumers away from Square and toward ?secure payment systems, like those provided by VeriFone.?
For the rest of the story read the statement by both sides.
An Open Letter to the Industry and Consumers
Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.
In less than an hour, any reasonably skilled programmer can write an application that will “skim” ? or steal ? a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.
Let me explain how easy it is to exploit the vulnerability.
…someone could write an application that captures input from the Square mag stripe reader and then stores that card data, perhaps sending it to a third-party. This could provide low-cost skimming for the masses.”
Robert Vamosi – Javelin Strategy & Research
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted ? and voila, you’re a fraud victim.
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
Don’t take our word for it. See for yourself by downloading the sample skimming application and viewing a video of this type of fraud in action.
Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), and we invite their comments.
Consumer trust is what’s really at stake. If the industry allows Square and other similar attempts to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure and financial systems developed over the last three decades.
Secure payment systems, like those provided by VeriFone and other credible providers which adhere to the highest level of security practices, are critical in protecting consumers, merchants and banks. Without this protection, all commerce ? conducted with plastic or mobile devices ? is a catalyst for massive personal and institutional financial loss.
There is great promise in the future of mobile payments and our innovations will help drive the industry forward. It is our hope that both consumers and merchants will take it upon themselves to become educated on the security risks involved with some of these experimental payment acceptance methods, like Square, and make informed decisions to protect themselves and their customers.
We take security very seriously. Securing payment transactions is what we do, and yes ? calling attention to and protecting against these types of security threats to consumers, merchants and banks is our responsibility.
We call on Square to do the responsible thing and recall these card skimming devices from the market.
Douglas G. Bergeron
Chief Executive Officer
A Letter on Credit Card Security and Square
Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card.
Any technology?an encrypted card reader, phone camera, or plain old pen and paper?can be used to ?skim? or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to?no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.
The bank that issues your credit card recognizes this and does not hold you responsible for fraudulent charges. When they are alerted to odd activity, they simply give you a call and will reverse the transaction. With Square, your credit card is designed to be used without worry, in more places than ever before.
Our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security. For instance, you can request an instant text message or email receipt delivered from our secure squareup.com server after every transaction.
At Square we work tirelessly to remove all complexity from accepting credit cards. That includes removing every concern around security. We thank you for your increasing support to make Square the leading way to pay with a credit card, safely.
Jack Dorsey
CEO, Square
March 9, 2011