March 10th, 2011 by Jamie Estep
A Square payment without proper research fails
A long time ago I wrote an article about credit card skimming. It remains the most visited page on this blog, I believe, because credit card skimming is one of those concerns that apply to both consumers and to businesses.
About a year ago one of the founders of Twitter and some other talented business persons came up with a mobile payment method called square. Square is a very tiny card reader that attaches to the audio port on a smart phone. It’s truly a clever little device that utilizes an existing port that just about every phone has. Merchant’s can sign up with Square without any fee and just about instantly process. Because of the ease of setup, there’s been some angry customers with money held, but something like this should be expected as the services operates on a similar model to Paypal. Square got some quick funding, and went off to the races faster than any payment related service in history. However, there’s a problem…
Unfortunately, Square also introduced one of the most efficient and low cost methods of creating an advanced credit card skimmer. When you sign up with Square’s processing service, you get the square for FREE. That’s right, for free you can turn your iPhone into a credit card skimming device. Thieves don’t even have to pay the $50 or so for a skimmer anymore, they get one for free. Not only is Square efficient and free, but they’ve already distributed hundreds of thousands of these little skimming nightmares all over the US.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
There are 2 major problem with the Square hardware.
First, the square device does not encrypt data being transmitted between the reader and the phone. This could easily leave the service open to a targeted attack where other software could read the card information when it is being transmitted between the reader and the phone. This sort of issue may never be a major problem as it would take very specific software or a compromised phone for this flaw to be taken advantage of. However, it still remains a security possibility, one that cannot be overcome without updating the hardware completely.
Second, since the hardware has no encryption or secure link between it and the phone/square service, a programmer could easily write a program that would simply record the card information onto a database or file on the phone. This is the main problem that Verifone and many others are up in arms about. With the large memory cards that are commonly found in phones, a thief could theoretically store millions of card numbers on their phone. Additionally, since just about everyone has a cell phone, it is considerably less conspicuous for a thief to skim cards with a phone than with the dedicated skimmers which look something between a pager or a magnetic card reader you would see attached to a computer.
This morning, VeriFone launched an entire website dedicated towards bringing down square. While VeriFone is a direct and probably the largest competitor of Square with their PayWare Mobile App, they have quickly illustrated not only that the square can be used for skimming, but that there is software that can already be used with the square hardware.
The problem now is that there are tons of these square credit cards readers all over the place, so the damage has already been done. At this point there’s literally nothing that can be done to prevent skimming using square devices. There’s even applications for blackberry and android that already work with the square hardware even though it was designed for the iPhone and iPad. I think that this sort of hardware is a perfect example of what happens when a company pushes software or hardware without putting enough in the research in how to make it secure. There’s more than 1 way to steal a credit card number…
With the amount of focus on PCI and data security of the last 10 years this is a blatant disregard for the most basic best practices, even those established 10 years ago. Twitter may be a whimsical concept, but there’s really nothing amusing about completely botching credit card data security at the expense of consumers and the businesses whom accept those stolen cards…
So, Jack Dorsey issued a rebuttal to VeriFone‘s website and statements about the Square.
Second, as Dorsey points out, credit card fraud is not new. Every single time you hand over your credit card to someone (whether it is a merchant using Square, or any one of the dozens of other credit card input methods) you are trusting them not to steal it. Criminals steal credit card numbers all the time, both online and offline. But it happens, and when it does, consumers are not liable for fraudulent charges, the credit card companies are.
What’s not fair or accurate is Jack Dorsey’s fundamental lack of understanding of how the credit card industry works! Any merchant knows that if they accept a credit card that was stolen, they are liable for the fraudulent charges. There’s no magical credit card company that’s going to float in and take responsibility for it. The merchant loses when it comes to credit card fraud, plain and simple.
This disregard to merchants all while Square is trying to sell them a processing service is simply insulting. I’m a merchant as well, and this is just disrespectful.
After reading this, I am completely convinced that Jack Dorsey and Square have no business providing a payment service of any type to anyone. Stick to tweeting…