It’s been a real life saver. There have been a number of times I’ve been at a seminar or talk, and someone wanted to buy the book, but didn’t have the cash. For a 2.75% fee (collected from my price, not added to the customer’s), I was able to accept that person’s credit card just by swiping it on the free card reader from @Square.
I’ve been meaning to write this post for some time now, but felt the urgency after the manner in which Verifone shamefully attacked Square’s security.
Verifone, a competitor of Square’s, called the security of Square’s credit card reader and encryption into question. They did it by writing an app that would allow people to steal someone’s credit card information — assuming you handed your credit card to someone you didn’t know and they had this app.
Verifone wrote the app, published an open letter to Square and its users, calling on the company to recall the reader, and then sent a copy of the hack app to the four major credit cards. They also sent the app to JP Morgan Chase, Square’s credit card processor, in an attempt to cripple Square’s business. Oh, and they also made a copy of the app available for any thief who steals a credit card, thus enabling thieves everywhere to take full advantage of the flaw they pointed out. And they very helpfully uploaded a YouTube video that showed thieves how they can use the app to steal from people. (You can read all of this at sq-skim.com. I’m not linking to it, because they don’t deserve the SEO juice.)
(I’m reminded of the record companies who argued that Napster and other peer-to-peer networks enabled people to steal music. They sued the bejeezus out of Napster and got them shut down. Can Square do the same thing to Verifone now?)
Verifone’s actions are some of the slimiest I have seen in the business world in years. This is typical of the behavior I would expect from Karl Rove during an election, or some guy telling me he’s the son of a deposed Nigerian prince, not a business that wants me to trust them with my money. Maybe I’m naive, but I tend to see the good in everyone until proved otherwise. Verifone just proved otherwise.
From Verifone’s open letter: (B)ecause anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
Do you know what else is unsecure about credit card transactions? Everything. Verifone isn’t pointing out anything new.
Here are some other ways you could steal someone’s credit card numbers.
- Take a photo of it with your cell phone camera.
- Memorize it.
- Write it down.
- Steal someone’s wallet.
- Trick someone into handing it to you.
Credit cards are unsecure. Hell, your data isn’t even encrypted on that magnetic strip, so it’s not like Square’s reader is even a problem. Any thief with a pen and a scrap of paper is a security threat.
Here’s the thing: If you’re worried about someone stealing your credit card number with a Square app, don’t hand your credit card to people you don’t know or trust. The same is true if a business uses a Verifone credit card system. This also includes waiters and waittresses who work in restaurants that already use Verifone’s credit card processing, store clerks that already use Verifone’s credit card processing, or calling catalog 800 numbers that use Verifone’s credit card processing. All of these places can have people who steal your credit card information with one of the methods I just listed, despite Verifone’s secure encryption.
The “problem” Verifone pointed out lies more in the fact that people could trick you, not because Square’s reader — or your credit card — is not encrypted. You run the same danger of being ripped off by a thief who gets a job as a waiter or by having your wallet or purse stolen. Yet Verifone doesn’t tell you that. No, they only attack a company who’s a serious threat to their profit margins.
What Verifone did is shameful, sleazy, and unethical. I decided a long time ago that I would never do business by bashing the competition. It didn’t matter whether they had horrible products or were nasty, immoral people. I would make comparisons between products, but I would never denigrate or embarrass a competitor. And I certainly wouldn’t do it in so grandiose and public a manner.
If Verifone can call on Square to recall their reader, then I’m calling on Verifone to remove their theft-enabling app and video showing people how to steal. I also think if people have their credit card information stolen by a Verifone app, they should sue Verifone immediately, forcing them to make restitution to the victims.
While I believe that every consumer has a right to credit card security and safety, and that Square should solve this problem (if it is indeed their problem, and not the credit card issuers who send out unencrypted credit cards), I think Verifone did more to harm their reputation than they did to hurt Square’s. That, and they just made it easier for thieves to steal. So, you know, thanks for that.
Square can fix a security flaw, but no amount of coding can unsleaze Verifone. I can guarantee that my company will never become a Verifone customer. I simply can’t trust them.