Credit card processor VeriFone has released an open letter to both consumers and the card processing industry claiming that an smartphone-based credit card reader being marketed by start-up Square is plagued by a “serious security flaw” that puts users’ data at risk. According to VeriFone, the problem lies in the Square card reader dongle that connects to an iPhone, iPad, or Android device’s headphone connector: the dongle reads information off the card’s magnetic strip and sends it to the device unencrypted. The result, according to VeriFone, is that anyone could write a bogus skimming application that collected card information off the Square card reader, and experts could do it from scratch in under an hour. How do they know? They did it.
“In less than an hour, any reasonably skilled programmer can write an application that will “skim”—or steal—a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader,” VeriFone’s CEO Douglas G. Bergeron wrote in the latter. “How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”
The idea behind Square is to enable anyone to accept payments using credit cards using just an smartphone, the Square dongle reader, and Square’s software—of course, users will also need to have a verified, non-prepaid bank account to accept credit card payments. However, VeriFone’s argument is that because the data read off the card is transmitted to the device unencrypted, anyone could write a bogus “Square” application and use it to skim credit card information from unsuspecting credit card users.
VeriFone is demanding Square recall all its card-reading devices, and notes it is handing its application over to the likes of Visa, MasterCard, Discover, American Express, and JP Morgan chase for their examination, urging them to stop accepting payments processed via Square. “If the industry allows Square and other similar attempts to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure and financial systems developed over the last three decades.”
Industry watchers have generally greeted VeriFone’s accusations and open letter with a healthy degree of skepticism. Some have accused VeriFone of having a blatant conflict of interest, since Square’s business model directly undercuts VeriFone’s own business for expensive credit card readers. In that context, VeriFone’s open letter can be viewed an attempt to spread fear, uncertainty, and doubt (FUD) about a competitor’s product. Others have noted that, with the exception of a CVV1 number, the data on a credit card’s magnetic strip is exactly the same as the information printed on the credit card itself: skimmers need only take a decent picture of a credit card in order to “skim” the data off it—and they might get the user’s legal signature too.
[Updated 09-Mar-2011: Original text stated Square operated only with merchant accounts.]