Square Security Flaw (Alleged) Introduced by Competitor VeriFone

    March 9, 2011
    Chris Crum

There has been a lot of buzz around Square, the credit card reader service co-founded by Twitter co-founder Jack Dorsey. The service makes it easy for anyone to accept credit card payments, via a card reader that plugs into mobile devices.

The company may have a PR disaster on its hands now, however. Douglas G. Bergeron, CEO of VeriFone, which is a direct competitor of Square’s, has published an open letter (with its own domain and all) to “the industry and consumers” about a security flaw in Square’s service, which according to Bergeron, puts consumers at risk when they make purchases through Square.

He explains how criminals can exploit this. Here’s a sample of the letter that provides the basic gist of what Bergeron has to say:

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.

Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.

He posted a YouTube video, which has now been removed.

Bergeron says he has a sample skimming application that can be downloaded, to show how it works, and that he’s giving a copy to Visa, MasterCard, Discover, American Express, and JP Morgan Chase.

Now, Bergeron’s claims have been met with a great deal of criticism. Mostly things along these lines:

Dear VeriFone: The magnetic stripe on the credit card is the insecure bit, not the @square card reader. http://j.mp/gW1Eg9 2 hours ago via Twitterrific for Mac · powered by @socialditto

@verifone Maybe you shouldn’t create a skimming App and distribute it to the public to prove a point about @square 17 minutes ago via Twitter for Mac · powered by @socialditto

Regardless of whether there is any merit to Bergeron and VeriFone’s smear campaign, people are still going to see headlines about Square related to security concerns, which could implant negative connotations with the service in their minds, whether justified or not.

Square announced last week that it is processing over $1 million a day. In February, the company eliminated a 15 cent transaction fee, making it an even more attractive offering for businesses.

Square seems to have built itself a pretty solid reputation thus far. It will be very interesting to see how that reputation holds up following this incident.

So far, we haven’t seen any response from Square.

Update: Now, we’ve heard from Square.


Chris Crum
Chris Crum has been a part of the WebProNews team and the iEntry Network of B2B Publications since 2003. Follow Chris on Twitter, on StumbleUpon, on Pinterest and/or on Google: +Chris Crum.