Square Security Flaw (Alleged) Introduced by Competitor VeriFone
There has been a lot of buzz around Square, the credit card reader service co-founded by Twitter co-founder Jack Dorsey. The service makes it easy for anyone to accept credit card payments, via a card reader that plugs into mobile devices.
The company may have a PR disaster on its hands now, however. Douglas G. Bergeron, CEO of VeriFone, which is a direct competitor of Square’s, has published an open letter (with its own domain and all) to “the industry and consumers” about a security flaw in Square’s service, which according to Bergeron, puts consumers at risk when they make purchases through Square.
He explains how criminals can exploit this. Here’s a sample of the letter that provides the basic gist of what Bergeron has to say:
The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
He posted a YouTube video, which has now been removed.
Bergeron says he has a sample skimming application that can be downloaded, to show how it works, and that he’s giving a copy to Visa, MasterCard, Discover, American Express, and JP Morgan Chase.
Now, Bergeron’s claims have been met with a great deal of criticism. Mostly things along these lines:
@verifone Maybe you shouldn’t create a skimming App and distribute it to the public to prove a point about @square
Regardless of whether there is any merit to Bergeron and VeriFone’s smear campaign, people are still going to see headlines about Square related to security concerns, which could implant negative connotations with the service in their minds, whether justified or not.
Square seems to have built itself a pretty solid reputation thus far. It will be very interesting to see how that reputation holds up following this incident.
So far, we haven’t seen any response from Square.
Update: Now, we’ve heard from Square.