March 10th, 2011 by Jamie Estep
A Square payment without proper research fails
Filed in: Credit Card Equipment, Fraud, Merchant Accounts | 8 comments
A long time ago I wrote an article about credit card skimming. It remains the most visited page on this blog, I believe, because credit card skimming is one of those concerns that apply to both consumers and to businesses.
About a year ago one of the founders of Twitter and some other talented business persons came up with a mobile payment method called square. Square is a very tiny card reader that attaches to the audio port on a smart phone. It’s truly a clever little device that utilizes an existing port that just about every phone has. Merchant’s can sign up with Square without any fee and just about instantly process. Because of the ease of setup, there’s been some angry customers with money held, but something like this should be expected as the services operates on a similar model to Paypal. Square got some quick funding, and went off to the races faster than any payment related service in history. However, there’s a problem…
Unfortunately, Square also introduced one of the most efficient and low cost methods of creating an advanced credit card skimmer. When you sign up with Square’s processing service, you get the square for FREE. That’s right, for free you can turn your iPhone into a credit card skimming device. Thieves don’t even have to pay the $50 or so for a skimmer anymore, they get one for free. Not only is Square efficient and free, but they’ve already distributed hundreds of thousands of these little skimming nightmares all over the US.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
There are 2 major problem with the Square hardware.
First, the square device does not encrypt data being transmitted between the reader and the phone. This could easily leave the service open to a targeted attack where other software could read the card information when it is being transmitted between the reader and the phone. This sort of issue may never be a major problem as it would take very specific software or a compromised phone for this flaw to be taken advantage of. However, it still remains a security possibility, one that cannot be overcome without updating the hardware completely.
Second, since the hardware has no encryption or secure link between it and the phone/square service, a programmer could easily write a program that would simply record the card information onto a database or file on the phone. This is the main problem that Verifone and many others are up in arms about. With the large memory cards that are commonly found in phones, a thief could theoretically store millions of card numbers on their phone. Additionally, since just about everyone has a cell phone, it is considerably less conspicuous for a thief to skim cards with a phone than with the dedicated skimmers which look something between a pager or a magnetic card reader you would see attached to a computer.
This morning, VeriFone launched an entire website dedicated towards bringing down square. While VeriFone is a direct and probably the largest competitor of Square with their PayWare Mobile App, they have quickly illustrated not only that the square can be used for skimming, but that there is software that can already be used with the square hardware.
The problem now is that there are tons of these square credit cards readers all over the place, so the damage has already been done. At this point there’s literally nothing that can be done to prevent skimming using square devices. There’s even applications for blackberry and android that already work with the square hardware even though it was designed for the iPhone and iPad. I think that this sort of hardware is a perfect example of what happens when a company pushes software or hardware without putting enough in the research in how to make it secure. There’s more than 1 way to steal a credit card number…
With the amount of focus on PCI and data security of the last 10 years this is a blatant disregard for the most basic best practices, even those established 10 years ago. Twitter may be a whimsical concept, but there’s really nothing amusing about completely botching credit card data security at the expense of consumers and the businesses whom accept those stolen cards…
Update 03-10-2011
So, Jack Dorsey issued a rebuttal to VeriFone‘s website and statements about the Square.
Second, as Dorsey points out, credit card fraud is not new. Every single time you hand over your credit card to someone (whether it is a merchant using Square, or any one of the dozens of other credit card input methods) you are trusting them not to steal it. Criminals steal credit card numbers all the time, both online and offline. But it happens, and when it does, consumers are not liable for fraudulent charges, the credit card companies are.
What’s not fair or accurate is Jack Dorsey’s fundamental lack of understanding of how the credit card industry works! Any merchant knows that if they accept a credit card that was stolen, they are liable for the fraudulent charges. There’s no magical credit card company that’s going to float in and take responsibility for it. The merchant loses when it comes to credit card fraud, plain and simple.
This disregard to merchants all while Square is trying to sell them a processing service is simply insulting. I’m a merchant as well, and this is just disrespectful.
After reading this, I am completely convinced that Jack Dorsey and Square have no business providing a payment service of any type to anyone. Stick to tweeting…
Seems to me like the entrenched interests in this industry feel threatened by Square’s business model, which in my opinion will be a real game changer.
Mr. 4023, seems to me like you are a Square fanboy. You obviously have no idea what you just read. If you accept a stolen credit card number from malware that is residing on a Square user’s smartphone, you get hit with a chargeback fee and you lose. Now that Square has dropped a bomb into the payment’s industry, you’ll see rates and fees go up as a result. Nobody is threatened by Square, Jack Dorsey needs to dabble back in social media and stay away from making the payments industry less secure by his ignorance and lack of foresight.
I have been noticed that the accepted interests in this industry feel threatened by Square’s business model, which in my assessment will be a absolute bold changer.
I will say as a Square user that I believe that a lot if the negative publicity that VeriPhone is putting out about the square reader is incorrect and is sour grapes. For heaven sakes VISA has just invested in the SquareUp company! That seems to show to me that its much safer than Veriphone is making it out to be. I think that VeriPhone wants to kill off a viable competitor with half truths. Does it state in VeriPhone’s open letter that it took Veriphone SIX MONTHS to figure out how the square dongle even worked to get to a starting point to write that code not just the hour to write a program which may be easy once you take the 6 months R&D that was needed? Does it state that their programmer is already familiar with banking and commerce software and cc processing software and encryption? NO it does not.
In conclusion – I have to stick with my Square even so, I CANT afford as a small merchant to pay the merchant fees + the monthly VeriPhone fees + the activation fee + the cost of the reader itself. I will say that even if I could that at this point I would not as what they have just attempted with this slander campaign is pretty shady.
Thanks for commenting. I definitely understand your concern with the cost of Verifone’s payware or the other phone based swiping products out there.
My main criticism is that Square could have easily designed some security in the device from the start. They took the path of least resistance and potentially put a product in the market that is not secure. If any program on the phone can potentially intercept raw card data between the reader and the square software on the phone, “security hole” falls far short of what this really is.
Secondly, let’s just pretend, that security isn’t an issue. Square is giving out very portable skimming devices for free. Skimming is a huge problem and has been for several years. While it may only cost a little to setup a skimmer yourself, square provided a zero barrier method to create a skimming device. Additionally an iPhone or Android or Blackberry, all which can now be hacked to use the square device, can hold a ton of card numbers, far more than the normal portable skimmer.
Square took a product that they really wanted to put out there, and launched it without a lot of thought into things like security or skimming, etc.. At least 1 of these could have been addresses very early in their development cycle. Unfortunately, consumers won’t feel anything from fraud relating to this if there is some. Merchants pay almost 100% for credit card fraud originating from skimming or stolen card related transactions.
Jack Dorsey’s lack of understanding of the credit card industry is deplorable and simply insulting to the merchants that bear the cost of fraud.
What do you mean Verifone slandered Square? I think Verifone is basically exposing the facts and the concerns that have been hidden from the public eye by an over zealous sales campaign by Square. Square has rushed a product into the payments industry without doing their due diligence and proper security checks. Is their product even PCI PA-DSS certified? What market is his product targeting other than “back alley” transactions? I think everyone should have to undergo getting a business license and Federal Tax ID, as well as an underwriting requirement before they can process credit cards. Jack Dorsey is asking for trouble and putting both merchants and consumers in unnecessary risk all for the idea of making a quick buck. Pathetic in my opinion. Kudos to Verifone for exposing Square!
Actually the device is not a game changer, there are other low cost comparable devices like roampay’s that are secure…Square has just been hyped beyond belief.
Another use of the square device is waitress skimmer, previously she or he had to take your card in the back room and write down the number if she wanted to do something criminal with it, now all she needs to do is swipe it on her phone and she can sell probably 50-100 card “mag stripes” a day on the black market if she so chooses…what this allows is criminals to create full credit cards that can be taken into the store to buy tangible items, if the criminal is smart he heads to best buy and the only time the stolen card data is used is for thousands of dollars of electronics.
The lack of security and response is one of a long line of indications that Square’s founders did not primarily understand payments…I have several of the devices, why not they were free, but square does not know and has no idea what I am using them for, skimming cards, selling beer?, prostitution payments?
Funny, Paypal tried what Square did long before smart phones were a reality and it failed. 2 years in and Square is still failing. Everyone is touting that Visa made in investment in Square which is actually a twisted truth. Visa has invested in many areas of the industry and heavily in making sure that they are not the responsible party when there is a breach. (PCI compliance anyone?) They want to make sure that they will get the Lion’s share of profit when there is a breach. So, if Square is breached, then Visa will surely double their profits and either way they win with an investment. Anyhow, sounds like we have a couple Square and Jack Dorsey fanboys on here and all I have to say is EPIC FAIL! My Square device rarely works and when it does I get dinged with extremely high rates and I cannot run over $1500/week. So, good for garage sales for yuppies with disposible income, but a real business owner requires a real merchant account, and Square is not a real merchant account provider. A friend referred me to his merchant provider, so I went with USA ePay and Newtek Merchant Solutions. Now, I can run my business without having to worry about caps and artificial restrictions that Square imposes. Square is a joke and it won’t survive, mark my words.