Squaring It Off – VeriFone Tackles Mobile Payment Square
According to VeriFone, the problem is not with the application but rather with the dongle that connects to the devices. This dongle reads credit card information off the magnetic strip and transfers it to the device unencrypted in clear text, allowing anyone to write a bogus skimming application to quickly collect all information. This collected information could then be used to make purchases with your credut card via the web or various merchants across the world.
VeriFone who makes credit card processing systems and is a direct competitor of the new startup, has created a skimming program themselves to proof how it can be done. And apparently they did it in under and hour. “In less than an hour, any reasonably skilled programmer can write an application that will “skim”—or steal—a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader,” VeriFone’s CEO Douglas G. Bergeron wrote in the letter. “How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”
Jack Dorsey, who created Square with the idea of enabling anyone to accept credit card payments with the dongles has not responded to VeriFone. However, in Square’s defense, all users need merchant accounts and go through a standard process before being authorized to accept credit card payments. The argument is that anyone could write a bogus mobile “Square” app and use it to skim any credit card they get their hands on.
In the open letter, VeriFone demands that Square recall all its card-readers dongles and says it is providing the mobile app to companies like Visa, MasterCard, Discover, American Express, and JP Morgan Chase for careful examination. Essentially urging the major credit card houses to stop accepting payments processed via Square. “If the industry allows Square and other similar attempts to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure and financial systems developed over the last three decades.”
Of course, given that Square is seriously going to disrupt VeriFone financial wherewithal, this is no doubt an obstacle for Square to tackle. Yet some say that this is simply a PR campaign by VeriFone in an attempt to spread fear and doubt a competitor product.
It is worth nothing that the site Groovy Mother has pointed out that VeriFone is doing a complete turn around on their own policy by publicizing an exploit something VeriFone stated encourages bad behavior. And for this some are calling VeriFone complete hypocrites. Here is VeriFone statement in 2007 in response to a security research showing that their credit card readers were insecure.
We believe it is not in the best interest of the consumers, merchants and overall payment industry to publish the details of product designs describing potential attacks however remote those might be. Even if these attacks are difficult to be accomplished it gives the bad guys a leg up on research they would not have to do and encourages bad behavior.
Perhaps VeriFone might instill some fear in a few but the real issue is not with Square, rather with the credit card themselves, as the data on the magnetic stripe is completely unencrypted itself. Hence, if changes was to come, it should come from the credit card companies and the way they issue cards. However, Square will likely have to issue a statement or address this concern. We will see how they handle it. Stay tune!!