Square accused by rival of massive security failing

Square accused by rival of massive security failing

Payments vendor VeriFone has accused upstart Square of posing a serious security threat to users, claiming its rival's hardware can be easily turned into a skimming device by crooks and used to steal card details.

The brainchild of Twitter founder Jack Dorsey, Square provides merchants with a piece of plastic that fits in to the headphone jack of Android-based handsets, iPhones and iPads, and acts as a card swipe for processing payments.

Only last week Dorsey took to Twitter to boast Square is now processing $1 million per day, while it is also reportedly signing up to 100,000 merchants for the service each month.

However, in an open letter, Verifone CEO Douglas Bergeron accuses Square of "serious security flaws" that put "consumers in dire risk". Bergeron claims that a programmer can easily write an application in under an hour to steal card details using the Square readers.

"How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this," says the letter.

This is possible because the hardware is poorly constructed and cannot encrypt card data, opening up an opportunity for crooks posing as merchants.

As well as the open letter, Verifone has posted a video running through its claims and sent a copy of the skimming app to Visa, MasterCard, Discover, American Express, and Square card processor JP Morgan Chase.

"We call on Square to do the responsible thing and recall these card skimming devices from the market," concludes the letter.

Dorsey insists Verifone's allegation is "not a fair or accurate claim and it overlooks all of the protections already built into your credit card" and that "our partner bank, JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader".

"Any technology - an encrypted card reader, phone camera, or plain old pen and paper - can be used to "skim" or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to-no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card," he argues.

Meanwhile, Intuit has told Finextra that its Square-like GoPayment system offers strong encryption - whether merchants use its iPhone sleeve hardware or the dongle that plugs into smatphone headphone jacks.

Says the vendor: "Security is key for Intuit offerings and GoPayment is no exception. Data is encrypted on the GoPayment app and also via all supported credit card readers. GoPayment protects data during transmission using the same technology as the financial services industry standard set forth by the Payment Card Industry (PCI) using an https connection over SSL at 128-bit encryption. At the same time, GoPayment never stores credit card information on your phone and a unique user ID and password is required to use GoPayment."

Finextra verdict The digital Twitterati are up in arms over VeriFone's attack. Most seem to think that VeriFone is running scared of a disruptive competitor to its own PayWare Mobile product and that in publishing its letter the company has scored a massive PR own goal. Over here at Finextra Towers we're not so sure. In the open marketplace it's not Silicon Valley opinion that counts but popular consumer sentiment. The banks and card schemes have done a good job of warning the public about the security threat to card-based products. Let's put it this way: If you were approached by a market stall trader brandishing a mobile phone with a Square reader would you be happy to hand over your card? Our advice: Use cash - it's safer.

Comments: (5)

Lachlan Gunn
Lachlan Gunn - BenAlpin Ltd - Perth 10 March, 2011, 10:02Be the first to give this comment the thumbs up 0 likes

".....the hardware is poorly constructed and cannot encrypt card data, opening up an opportunity for crooks posing as merchants."

The skimming fraternity have shown great agility in the past, both at ATMs, POS terminals and unattended payment terminals.  This just sounds too easy.

I agree with the Finextra verdict............the same idea using encrypted card data, and a Chip card reader, would be a lot better - except in the USA of course, until they adopt EMV! 

A Finextra member
A Finextra member 10 March, 2011, 21:44Be the first to give this comment the thumbs up 0 likes

Yet another example of the US claiming payment innovation when they are stuck in the Stone Age.  

Michael Fuller
Michael Fuller - None - London 11 March, 2011, 11:41Be the first to give this comment the thumbs up 0 likes

Don't you mean "startup" rather than "upstart"?

A Finextra member
A Finextra member 11 March, 2011, 14:38Be the first to give this comment the thumbs up 0 likes

Interesting how Verifone pitches the irresponsibility on the “Square” side of the fence – haven’t Verifone inadvertently provided a skimming platform for the masses.  Previous to Verifone’s intervention a clever few may have been able to perform this – now they have enabled anyone to do it.

An interesting and strategic attack on an emerging competitor – this should cause others to take note – the upcoming NFC/Mobile application war/campagin may end up being a blood-bath.

Matt White
Matt White - Finextra - Toronto 11 March, 2011, 16:25Be the first to give this comment the thumbs up 0 likes


Either works.


Verifone initially invited people to download the app it built but quickly realised this was pretty stupid (and potentially legally problematic) and removed it.