A couple of months ago, I was introduced to the Square credit card app for iPhone and Android, and immediately started using it to sell copies of my book, Branding Yourself.
It’s been a real life saver. There have been a number of times I’ve been at a seminar or talk, and someone wanted to buy the book, but didn’t have the cash. For a 2.75% fee (collected from my price, not added to the customer’s), I was able to accept that person’s credit card just by swiping it on the free card reader from @Square.
I’ve been meaning to write this post for some time now, but felt the urgency after the manner in which Verifone shamefully attacked Square’s security.
Verifone, a competitor of Square’s, called the security of Square’s credit card reader and encryption into question. They did it by writing an app that would allow people to steal someone’s credit card information — assuming you handed your credit card to someone you didn’t know and they had this app.
Verifone wrote the app, published an open letter to Square and its users, calling on the company to recall the reader, and then sent a copy of the hack app to the four major credit cards. They also sent the app to JP Morgan Chase, Square’s credit card processor, in an attempt to cripple Square’s business. Oh, and they also made a copy of the app available for any thief who steals a credit card, thus enabling thieves everywhere to take full advantage of the flaw they pointed out. And they very helpfully uploaded a YouTube video that showed thieves how they can use the app to steal from people. (You can read all of this at sq-skim.com. I’m not linking to it, because they don’t deserve the SEO juice.)
(I’m reminded of the record companies who argued that Napster and other peer-to-peer networks enabled people to steal music. They sued the bejeezus out of Napster and got them shut down. Can Square do the same thing to Verifone now?)
Verifone’s actions are some of the slimiest I have seen in the business world in years. This is typical of the behavior I would expect from Karl Rove during an election, or some guy telling me he’s the son of a deposed Nigerian prince, not a business that wants me to trust them with my money. Maybe I’m naive, but I tend to see the good in everyone until proved otherwise. Verifone just proved otherwise.
From Verifone’s open letter: (B)ecause anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
Do you know what else is unsecure about credit card transactions? Everything. Verifone isn’t pointing out anything new.
Here are some other ways you could steal someone’s credit card numbers.
- Take a photo of it with your cell phone camera.
- Memorize it.
- Write it down.
- Steal someone’s wallet.
- Trick someone into handing it to you.
Credit cards are unsecure. Hell, your data isn’t even encrypted on that magnetic strip, so it’s not like Square’s reader is even a problem. Any thief with a pen and a scrap of paper is a security threat.
Here’s the thing: If you’re worried about someone stealing your credit card number with a Square app, don’t hand your credit card to people you don’t know or trust. The same is true if a business uses a Verifone credit card system. This also includes waiters and waittresses who work in restaurants that already use Verifone’s credit card processing, store clerks that already use Verifone’s credit card processing, or calling catalog 800 numbers that use Verifone’s credit card processing. All of these places can have people who steal your credit card information with one of the methods I just listed, despite Verifone’s secure encryption.
The “problem” Verifone pointed out lies more in the fact that people could trick you, not because Square’s reader — or your credit card — is not encrypted. You run the same danger of being ripped off by a thief who gets a job as a waiter or by having your wallet or purse stolen. Yet Verifone doesn’t tell you that. No, they only attack a company who’s a serious threat to their profit margins.
What Verifone did is shameful, sleazy, and unethical. I decided a long time ago that I would never do business by bashing the competition. It didn’t matter whether they had horrible products or were nasty, immoral people. I would make comparisons between products, but I would never denigrate or embarrass a competitor. And I certainly wouldn’t do it in so grandiose and public a manner.
If Verifone can call on Square to recall their reader, then I’m calling on Verifone to remove their theft-enabling app and video showing people how to steal. I also think if people have their credit card information stolen by a Verifone app, they should sue Verifone immediately, forcing them to make restitution to the victims.
While I believe that every consumer has a right to credit card security and safety, and that Square should solve this problem (if it is indeed their problem, and not the credit card issuers who send out unencrypted credit cards), I think Verifone did more to harm their reputation than they did to hurt Square’s. That, and they just made it easier for thieves to steal. So, you know, thanks for that.
Square can fix a security flaw, but no amount of coding can unsleaze Verifone. I can guarantee that my company will never become a Verifone customer. I simply can’t trust them.
@erik – I totally agree that Verifone’s behavior was sleazy and hypocritical. Hopefully Square gets this fixed and moves on.
@Mike, I’m not excusing Square’s actions, I just don’t think Verifone should have been the ones to expose it. If Verifone is trying to protect their industry and the people they serve, there’s a better way to do it. Instead, they chose the sleazy way to do it. THAT’S my complaint.
@Derek, you know, I didn’t think about what Square thought. That IS a good point, and one worth considering. You know, if it had been an individual person, like a tech blogger, who pointed this out, then I would actually feel differently about the whole situation. And I DO believe that Square needs to fix the problem and pay for it. Hell, they process $1 million a day, which means around $275,000 in gross revenue per day, so it’s not like they’re strapped for cash.
So if that tech blogger had discovered Square’s flaw and made it public, I know I would not have complained about the blogger’s tactics. He would have been acting as a citizen journalist and providing a beneficial watchdog service to the community at large.
But when a competitor does it, it violates an unwritten rule (well, MY unwritten rule) that companies do not bash their competitors or air their dirty laundry. We all get disgusted when we hear stories about this happening politically, decrying the dirty tricks that the parties and campaigns play on each other. I feel similarly disgusted when companies do it to each other.
So to your original point, I think regardless of whether Square knew they were putting out a shoddy product, they should be on the hook to fix it. I think they should recall these dongles, and send out new secure ones.
@erik – The problem is that Square KNEW what their system was insecure and sold their product anyway. It’s no different than a pharma company selling a drug that has known, deadly side effects. I suppose you’d like to blame the inconvenient scientists that exposed exactly how the drug was killing people to the public.
Public, proof of concept exploits are really the last resort when it comes to getting security problems fixed. Whenever you see one, be it this one, or last year’s Firesheep, or any of the myriad of Windows vulnerabilities, you have a situation where more than likely the technology provider was notified, over and over, and chose to either ignore the problem or did not believe it was really a problem. So you take it public, and the only way to credibly do so is release code that proves the exploit works (otherwise, the other party will probably sue you for libel).
It sucks to be Square, but don’t shoot the whistle blower. Instead aim the blame where it belongs: Square went cheap and got caught with their pants down.
@Mike, while Square should come up with a new encrypted reader — and it’s one I would be willing to pay for — I still feel the problem should not have been exposed by Verifone the way they did it.
The fact that they have made an illegal piece of software available means they should bear any responsibility for anyone who uses that app to steal. The music industry blamed Napster for people stealing music using Napster software, so the credit card industry should punish Verifone for people stealing credit card information using Verifone’s theft-enabling app.
This whole thing is simple…. Square went on the cheap and got caught….nothing more simple than that. They want to try and save face, but need to just own the fact that they created the mess. Do you really not think Square didn’t know what they were putting out there?
@Doug – PCI rules probably do not apply to Square in this case, but they do apply to the merchant who purchased their processing from Square. So now it’s a matter of time until malware appears that exploits Square’s merchants, and in turn cardholders.
@Robby – You are right on. Square has been irresponsible.
@Paul – Square should have known this was coming and done three things: 1. Disclose the vulnerability. 2. Change to an encrypted swipe device (even if they make customers pay for it – that’s how cc terminal manufacturers deal with it when their hardware is obsoleted by the bad guys). 3. Release software that will not use the insecure card reader.
@Erik – Computer security works like this: someone calls and tells you a problem. In Square’s case industry insiders have know that their swipe device and software could easily be exploited for about six months. If you don’t do anything about a security problem, someone is going to take it to the public before the bad guys start systematically ripping people off. Proof of concept exploits suck and seem unethical, but it is the lesser of two evils. I’d rather see a company embarrassed and lose a few bucks to making it right than grandma have her life savings tapped because Square was too cheap to spend $38 instead of $22 on their card reader. I really agree with you on all the convenience stuff… but the truth is that Square screwed the pooch in a big way.
We need to have a little talk about security.
The point is not the credit card number. Of course credit card numbers are insecure. You can make an insecure purchase with the *information* on a credit card easily in a zillion different ways, such as picking up the phone or plugging numbers into a website.
However, the magstripe reader on a credit card IS NOT just a way to save you the trouble of typing in some information. Instead, the reader is a one-way encryption device that provides PROOF that the card is actually present. A CNP (card-not-present) transaction is inherently higher risk. But, the encryption process within the reader can only be executed with a real card. This gives the banks a much higher confidence that the card is not stolen.
We can agree that Verifone is being pretty slimy. But they are also pointing out that Square has made a boneheaded mistake. They are distributing a card reader which doesn’t actually provide as security advantage, which is the whole reason that card readers were invented in the first place! (Remember how they followed carbons, which also proved you had an original, raised plastic card?)
It’s also worth noting that there are much more terrifying implications than Verifone is pointing out. I don’t know if they are holding back, but here’s the nightmare scenario:
If the a Square reader does not encrypt data, than a cellphone virus can be distributed which steals credit card numbers in transit from otherwise legitimate vendors.
This is a big deal. I don’t love the PR approach, but the problem is real and serious.
Erik,
I think there are a couple of issues taking place that trigger questions in my mind:
1. How does a company respond to negative attacks on their brand online?
A Crisis Communication plan might be what is needed on the shelf should something like this happen. Understanding how to combat the bad publicity online is another thing to consider. After all, “15 minutes of bad fame can lead to a lifetime on Google”
2. If Verifone was held to a high standard in the past and pulled products as a result, why would they not do the same against a competitor?
Welcome to the credit card processing business where you have to have your ducks in a row, or we will pull your pants down and show what is underneath.
@Doug Mabye i need to do some more research… If Credit cards are stored on MY PHONE and are not encrypted then that is a big deal. (of course they shouldnt be stored at all) If Credit cards are TRANSMITTED over the air not encrypted. Also a big deal (and both against PCI compliance)
If any part of Square’s SERVICE is insecure then they shouldn’t be used until its fixed immediately.
If the only insecure data being sent is from the headphone jack to their app… that doesnt seem any more insecure than a lot of other things that are still used widely (and certified PCI compliant).
I understand PCI is no joke… I deal with it quite often, and the guy who sits across from me (our security guy) knows more about it than I do (he is the security guy) – next week when I’m in the office I might get his two cents on this.
How do you feel about Square providing you a device or service that isn’t secure according to the credit card industry? PCI compliance is no joke, I worked for a company that had to get compliant. These regulations are in place to protect consumers AND businesses. Square falls short of these requirements.
Would you feel the same about Square if your phone was stolen and you were held liable for hundreds of thousands of dollars in credit card fraud? You would be… not Square.
@scott – Not every mobile vendor does have a highly secure card swipe device, but several do. The problem is more secure costs more money, and Square is cheap and would have to change their rate structure to move to a more expensive swipe device as there are patents and royalties involved.
@asudduth The card swipe device provided by square simply does not meet modern (meaning now, this year, 2011) security needs. Square should have spent $10-$15 more for a device that encrypts card data before sending it to the phone’s headset jack and this little PR dust up would have never happened.
@paige – Verifone is huge, but what just happened is normal in the credit card world. Verifone has had to discontinue products over security in the past, so the hypocrisy is off the charts… but it does not change the fact that insecure is insecure.
Verifone’s actions are horrible and deplorable… but the fault for this is squarely on Square.
Square sold thousands of insecure acoustic swipe devices because they were trying to make their product as inexpensive as possible. Verifone never would have been able to make the video had Square spent $15 more for a card reader that encrypted the data before sending the data to the phone. Square is a merchant service provider and has the highest level of responsibility for protecting cardholders from fraud. It does not matter that older products like USB readers are insecure in the same way as Square’s product. Those products were not known to be insecure when they were created 12 years ago. What matters is that Square needs to provide a safer swipe device that meets today’s security needs.
That said, VeriFone has had others do exactly what they are doing to Square over VeriFone products in the past.
I thought their video was pretty distasteful, too, as if every other merchant account and card swiping machine vendor has these elaborate processes to screen and protect consumers against the less trustworthy. I’m almost surprised that they didn’t finish the video by introducing a product just like it of their own that didn’t have the same vulnerability.
It’ll be interesting to see how Square responds, if they think it even dignifies a response.
If I am reading everything correctly there is no security flaw in any of square’s stuff. I trust that their application does encrypt the data as soon as it gets it and when its transmitting across the network. The only issue is if someone uses the reader (that square provides for free) in a way Square didn’t intend.
This is the same “security issue” you’d see if you spent $60 on a magtek USB HID reader and carried around a tablet PC or netbook and swiped cards in to notepad (or your custom app designed to steal data)
Long story short, square just made it $60 cheaper to steal credit cards… but as far as I know there is no security issue with them at all.
(I’m not a square customer, but have thought about looking in to it. Reading the Veriphone letter has not changed my opinion… at least not about square;))
I started using my square in January, after all the bugs were worked out. Prior to that I was using a Merchant Services call in system which was truely risky, especially in a crowded situation. I used the “knuckle buster” to copy the CC info onto a receipt then called the order into merchat services. After I called it in, I had to go to the receipt and black out all but the last 4 digits. Anyone standing around, could memorize, photograph, snatch or otherwise get that info. Not only that, but the system was really expensive, particularly for someone who doesn’t take cards that often. There was a monthly fee, penalties for charging “too little” and a “swipe” fee. Additionally, I was limited to Mastercard and Visa only. With the Square system, I get MC, VISA, AE, and Disc. There is no monthly fee and the system is so easy to use! Credit card numbers are NOT stored on my phone, nor is other pertinent info, such as customer phone number or email address. I get a receipt via email as does the customer. All info is encrypted and sent directly to Square Up in San Francisco. I love this system!!!
Carmen
This enrages me.
What gets into people’s heads that make them do things like this? It’s not like this company really stands a chance of denting Verifone’s market with this one piece of technology — Verifone is massive.
PICK ON SOMEBODY YOUR OWN SIZE, JERKS.