Square Security Flaw (Alleged) Introduced by Competitor VeriFone

There has been a lot of buzz around Square, the credit card reader service co-founded by Twitter co-founder Jack Dorsey. The service makes it easy for anyone to accept credit card payments, via a card reader that plugs into mobile devices.

The company may have a PR disaster on its hands now, however. Douglas G. Bergeron, CEO of VeriFone, which is a direct competitor of Square’s, has published an open letter (with its own domain and all) to “the industry and consumers” about a security flaw in Square’s service, which according to Bergeron, puts consumers at risk when they make purchases through Square.

He explains how criminals can exploit this. Here’s a sample of the letter that provides the basic gist of what Bergeron has to say:

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.

Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.

He posted a YouTube video, which has now been removed.

Bergeron says he has a sample skimming application that can be downloaded, to show how it works, and that he’s giving a copy to Visa, MasterCard, Discover, American Express, and JP Morgan Chase.

Now, Bergeron’s claims have been met with a great deal of criticism. Mostly things along these lines:

@SteveStreza
Steve StrezaDear VeriFone: The magnetic stripe on the credit card is the insecure bit, not the @square card reader. http://j.mp/gW1Eg9 2 hours ago via Twitterrific for Mac · powered by @socialditto

@MrTaylor76
Mr. Taylor@verifone Maybe you shouldn’t create a skimming App and distribute it to the public to prove a point about @square 17 minutes ago via Twitter for Mac · powered by @socialditto

Regardless of whether there is any merit to Bergeron and VeriFone’s smear campaign, people are still going to see headlines about Square related to security concerns, which could implant negative connotations with the service in their minds, whether justified or not.

Square announced last week that it is processing over $1 million a day. In February, the company eliminated a 15 cent transaction fee, making it an even more attractive offering for businesses.

Square seems to have built itself a pretty solid reputation thus far. It will be very interesting to see how that reputation holds up following this incident.

So far, we haven’t seen any response from Square.

Update: Now, we’ve heard from Square.

There are 7 Comments. Add Yours.

Randall
March 9, 2011 at 5:46 pm

Bottom line if you give your card to bad people, bad things are going to happen no matter what kind of device they are using. You could use a Mag-Tek card reader and notepad on a pc to skim cards.

Maybe if Verifone spent the same resources fixing their own crap, people wouldn’t turn to cheaper alternatives.
Adsense Publisher
March 9, 2011 at 6:29 pm

Chris, you need to edit your post as Youtube already removed the video.
Did you really think they would allow a video that shows people how to get people’s credit card info would be allowed to be on Youtube for very long?
Joe
March 9, 2011 at 6:58 pm

So I guess Verifone is Square’s competitor as they are on the defense? What are Verifone’s prices? I bet a lot higher. Square looks pretty attractive. Chris, Youtube removed the video.
Adsense Publisher
March 9, 2011 at 9:54 pm

All you really need is to put your cards inside those little sleeves and nobody can just grab your info off the strips without you removing the card from the sleeve.
Mark Johnson
March 10, 2011 at 2:23 am

I had square and was checking it out for months and could not find out why Square on their website has PCI compliant label for Tier ONE but if you look at PCI Validated Payment Applications you do not see square on it?

Validated Payment Applications from PCI

https://www.pci securitystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true

Square Tier one logo on website
https://help.squareup.com/customer/portal/articles/7763-security-at-square

MJ
Stella
March 10, 2011 at 3:12 pm

How do Square and Verifone’s pricing compare? Check out this nifty calculator from FeeFighters.

http://feefighters.com/square-vs-verifone/
bex
September 16, 2011 at 6:12 am

Its really hard to figure it out. I had some ideas about criminals act about credit cards. They can grab it in front of you without being notifying by yourself. Their are many tricks they have for it.