-Didn't mention the competitor by name, and stuck to addressing the arguments, without any messy ad hominem stuff.
-Set up a separate page to address this issue. They could have easily lost by simply shifting the focus of the discussion to questioning Square's security. Posting a message on their home page or their blog, for example, makes it an issue to people who had no previous exposure to the issue.
-Stuck to a basic analogy that everyone has experience with, and everyone can understand.
-Used the opportunity to discuss other aspects of Square without throwing it in the reader's face. I had no idea they had a partner bank.
Good on them. I feel Dorsey has a mind for this, but I also find myself wondering if they had any PR consultation.
One more thing that I think is very good for a situation like this. They kept it short, to the point. The message couldn't be more clear, and people can get suspicious if you're doing PR to clear up a fiasco, but you're rambling. In those situations, it's like you're obfuscating the message to hide the real deal.
I used to develop kiosks that accepted credit cards for a company I started. We purchased some $20-$30 USB card swipers in order to capture credit card numbers and process orders. When you swiped the card, it would return an ASCII text string with the credit card number, name, and some additional codes (CVV1 and CVV2, I believe). If I recall correctly, the magnetic strip has a number of tracks, and you could program the reader to read one or all of these tracks. If you submitted the full string from the swipe to your merchant, you got a much better rate on the transaction.
Anyway, seems to me there's nothing new here... just the fact that people can now get a device capable of decoding the tracks on a magnetic strip for $0 instead of $30.
Exactly. At first, I listened to Veriphone's complaints with an open mind, because credit card fraud is pretty serious.
But then I started thinking, "That's it? A magstripe reader! You can get those anywhere and it will do the exact same thing. Unencrypted."
We had to pick one up for a customer so the can use magstripe time cards. To test it out, we plugged it into a computer, opened Notepad and started scanning anything with a magstripe.
UPDATE
Since I raised some serious concerns, I wanted to update from the comments provided. Square does not store the data on the device. The device must have an internet connection and the data is sent, securely, online. In other words, the original allegations are stupid any way you slice it.
---
I think I'm missing something.
People seem to think that the problem is that Square can be used as a skimmer - which I agree is stupid. That's like saying a pen & paper is a skimmer.
However, it seems like the real issue is that Square stores the data on the device in the clear. What happens if the device gets stolen?
Imagine if a web app stored CC information in the clear and it got hacked, people would rightfully hold the vendor/processor responsible. If devices get stolen and data is stored in the clear, Square is totally wrong and they are totally deflecting/mis-representing the issue.
Can anyone with actual knowledge about this, rather than two business pointing fingers, clear this up for us?
>Let me explain how easy it is to exploit the vulnerability.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you've got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It's shockingly simple.
The issue is that Square's hardware is poorly constructed and lacks all ability to encrypt consumers' data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
The "problem" is that the Square reader thing doesn't encrypt its communication to the iDevice.
And it shouldn't. As Square said in the letter, by merely seeing your card someone has enough information to steal from you. At best they could public-key encrypt the data in the reader itself and pipe the encrypted data to their servers... until someone cracks the key. Or makes a fake Square reader that's identical to the ones out now. At which point we're back at square one. As it stands, Square just made a simpler version of a standard credit card reader, and for some reason they're claiming it's a security hole.
FWIW: Verifone just guaranteed I'll go out of my way to avoid ever being a customer of theirs. This is FUD, plain and simple; they're probably doing it because they see a threat and are trying to squash it, rather than out-perform it.
The issue is truly the stupid one you mention. But it makes sense if you think about it from the point of view of a company whose business is "secure hardware" to bash the Square hardware as somehow being "insecure".
Isn't it possible that malware which found its way onto the phone could skim off the data as its being swiped? This is entirely different than a typical physical skimmer, as the person swiping the card for entirely legitimate reasons is likely unaware of the malware, and would be as much a victim as much as the cardholder. From what I understand, the Square device does not encrypt the data sent to the Square app, making it easier for malware to capture transaction data as its processed.
Verifone has a point, but it comes through very badly in what they wrote. It's all about the issue of trust and habit.
Skimming equipment, both software and hardware, has been freely available for ages now. And it's quite simple. Anybody who knows how to use ebay and write a small application can create quite sophisticated skimming equipment themselves.
The problem is not the availability of the equipment or the know-how. The problem is what "average Joe" is used to. If "average Joe" would balk when presented an off the shelf mobile phone to swipe their card through, well, then skimming using a mobile phone would be hard. But if the banks and payment processors have trained "average Joe" to know that a mobile phone is a completely legit way of reading credit cards, well then this type of skimming is easy.
If no ATMs existed, well, then it would be really hard to skim cards using an ATM-like device, because people would balk.
It's all about keeping the different legit ways of accepting credit card payment to a minimum. The fewer legit ways, the fewer possibilities of skimming.
On the other hand, there is no doubt in my mind that mobile payment will be the future. Replacing the standard plastic will a chip in your mobile phone will become commonplace soon, and we will also probably see applications where you can transfer money to others simply by having both mobile phones interact.
So the question is if the big fuss really helps anyone, or if it's only delaying the inevitable.
Giving any credibility to that argument is entirely fallacious because it fails the infinite regression test. Ultimately, you end up back at the argument that if we all relied on cash, there would be no credit/debit card information to steal at all.
Making it difficult to process credit cards doesn't solve the problem of credit card security.
As Raymond Chen puts it, "it rather involves being on the other side of this airtight hatchway". Why even bother with the dongle, just photograph the card (or punch the owner with a bat) and you're done.
Chase wouldn't be the one processing skimmed transactions, anyhow - it would be any merchant or processor the thief could find with weak fraud controls. In the US, ultimate liability for fraud is usually with the wronged merchant.
You know why Paypal lost a hundred million in fraud? One way was because they were the weakest link at the time: Paypal got used for cashing. (The hardest, riskiest part of stealing credit cards: transforming a credit card number into hard currency, without getting arrested. There are any number of ways to do this: buy items with a high resale value on eBay, pay with Psypal backed by stolen cards, sell items for cash. Set up affiliate account with merchant of high margin item, put sham transactions through using Paypal account backed by stolen cards, withdrawal clean money from affiliate account to which no accessible link to Paypal accounts exist. etc, etc)
Smart cards/RFID are basically worthless for preventing card not present fraud, which is the lion's share of it.
It's not Square's defence. It's every merchants'/processors' defence.
I have a card with information stored on a magnetic strip, a smart card, RFID and text. It doesn't matter which of these you use to steal the information, the result is the same.
Sure, the CC data can easily be stolen even now but assuming square gets popular, consumers then will have to "trust one more device" in addition to the card-readers used by merchants, any other place where you swipe the card, the waiter, etc etc.
And more so because its much easier to write rouge apps or malware-apps for smartphones than to hack the dedicated card readers. In case of a malware-app, the danger is not just limited to one merchant.
It seems to me that the real question raised by verifone is not being given enough concern.
Why can't the square card encrypt the CC data ?? with a private key that only square-app can make sense of?
Presumably, encryption would add hardware costs to a device that they're giving away tens of thousands off for free, and only provide the illusion of additional security on top of there existing security measures once it hits the iOS client (pure speculation on my behalf).
One thing that could help this would be if Square let you pick a secret image, and they would show it in the app, when you're signing.
If someone is using a fake app, they wouldn't be able to incorporate your secret image, and you'd be tipped off. They'd still get your credit card, but you'd know it right away, and could cancel your card/call the police right there.
Same thing banks do on web sites to prevent this same kind of attack.
Wait. Isn't the data on the magnetic strip unencrypted anyway? Sure, your little card reader could encrypt the data, then send little ones and zeros through the headphone jack to be decrypted by your proprietary software, but the original data still isn't encrypted. It's just sitting there on the card in all of it's unencrypted glory. This is essentially security through obfuscation.
At best, the issue I can see here is that Square would make it easy to very quickly and casually skim a card without having to look at it, or be seen writing down the info from it. A marginal advantage if you already have access to the card, but conceivably, a fast fingered waiter could pull this off in public view, and the Square app is perhaps a little easier to conceal than other card readers.
What about the value of also capturing the CVV1 code, which, as I understand it, is the only piece of info not already printed on the card?
CVV is printed on the back of the card. Thus the point remains, once I hand over my card to someone, all of the information they need to use my card is printed right on the card.
[+] [-] rriepe|15 years ago|reply
-Didn't mention the competitor by name, and stuck to addressing the arguments, without any messy ad hominem stuff.
-Set up a separate page to address this issue. They could have easily lost by simply shifting the focus of the discussion to questioning Square's security. Posting a message on their home page or their blog, for example, makes it an issue to people who had no previous exposure to the issue.
-Stuck to a basic analogy that everyone has experience with, and everyone can understand.
-Used the opportunity to discuss other aspects of Square without throwing it in the reader's face. I had no idea they had a partner bank.
Good on them. I feel Dorsey has a mind for this, but I also find myself wondering if they had any PR consultation.
[+] [-] PakG1|15 years ago|reply
[+] [-] Jayasimhan|15 years ago|reply
[+] [-] jemka|15 years ago|reply
Chase is probably their processor.
[+] [-] jakewalker|15 years ago|reply
The device was something like this: http://www.google.com/products/catalog?q=usb+card+swipe+read...
Anyway, seems to me there's nothing new here... just the fact that people can now get a device capable of decoding the tracks on a magnetic strip for $0 instead of $30.
[+] [-] bena|15 years ago|reply
But then I started thinking, "That's it? A magstripe reader! You can get those anywhere and it will do the exact same thing. Unencrypted."
We had to pick one up for a customer so the can use magstripe time cards. To test it out, we plugged it into a computer, opened Notepad and started scanning anything with a magstripe.
[+] [-] jakewalker|15 years ago|reply
[+] [-] SwellJoe|15 years ago|reply
[+] [-] latch|15 years ago|reply
---
I think I'm missing something.
People seem to think that the problem is that Square can be used as a skimmer - which I agree is stupid. That's like saying a pen & paper is a skimmer.
However, it seems like the real issue is that Square stores the data on the device in the clear. What happens if the device gets stolen?
Imagine if a web app stored CC information in the clear and it got hacked, people would rightfully hold the vendor/processor responsible. If devices get stolen and data is stored in the clear, Square is totally wrong and they are totally deflecting/mis-representing the issue.
Can anyone with actual knowledge about this, rather than two business pointing fingers, clear this up for us?
[+] [-] Groxx|15 years ago|reply
>Let me explain how easy it is to exploit the vulnerability.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you've got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It's shockingly simple.
The issue is that Square's hardware is poorly constructed and lacks all ability to encrypt consumers' data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
The "problem" is that the Square reader thing doesn't encrypt its communication to the iDevice.
And it shouldn't. As Square said in the letter, by merely seeing your card someone has enough information to steal from you. At best they could public-key encrypt the data in the reader itself and pipe the encrypted data to their servers... until someone cracks the key. Or makes a fake Square reader that's identical to the ones out now. At which point we're back at square one. As it stands, Square just made a simpler version of a standard credit card reader, and for some reason they're claiming it's a security hole.
FWIW: Verifone just guaranteed I'll go out of my way to avoid ever being a customer of theirs. This is FUD, plain and simple; they're probably doing it because they see a threat and are trying to squash it, rather than out-perform it.
[+] [-] zbrock|15 years ago|reply
[+] [-] bigmac|15 years ago|reply
[+] [-] dgreensp|15 years ago|reply
[+] [-] ryanhuff|15 years ago|reply
[+] [-] deadcyclo|15 years ago|reply
Skimming equipment, both software and hardware, has been freely available for ages now. And it's quite simple. Anybody who knows how to use ebay and write a small application can create quite sophisticated skimming equipment themselves.
The problem is not the availability of the equipment or the know-how. The problem is what "average Joe" is used to. If "average Joe" would balk when presented an off the shelf mobile phone to swipe their card through, well, then skimming using a mobile phone would be hard. But if the banks and payment processors have trained "average Joe" to know that a mobile phone is a completely legit way of reading credit cards, well then this type of skimming is easy.
If no ATMs existed, well, then it would be really hard to skim cards using an ATM-like device, because people would balk.
It's all about keeping the different legit ways of accepting credit card payment to a minimum. The fewer legit ways, the fewer possibilities of skimming.
On the other hand, there is no doubt in my mind that mobile payment will be the future. Replacing the standard plastic will a chip in your mobile phone will become commonplace soon, and we will also probably see applications where you can transfer money to others simply by having both mobile phones interact.
So the question is if the big fuss really helps anyone, or if it's only delaying the inevitable.
[+] [-] bradleyland|15 years ago|reply
Making it difficult to process credit cards doesn't solve the problem of credit card security.
[+] [-] latch|15 years ago|reply
(if there's a permanent URL for that, I can't find it).
[+] [-] famousactress|15 years ago|reply
[+] [-] tlrobinson|15 years ago|reply
[+] [-] xentronium|15 years ago|reply
[1] http://blogs.msdn.com/b/oldnewthing/archive/2010/05/11/10009...
[+] [-] blutonium|15 years ago|reply
I guess the question is this: why not use smartcards or RFID? Other countries have for years. Why not in the US?
[+] [-] patio11|15 years ago|reply
You know why Paypal lost a hundred million in fraud? One way was because they were the weakest link at the time: Paypal got used for cashing. (The hardest, riskiest part of stealing credit cards: transforming a credit card number into hard currency, without getting arrested. There are any number of ways to do this: buy items with a high resale value on eBay, pay with Psypal backed by stolen cards, sell items for cash. Set up affiliate account with merchant of high margin item, put sham transactions through using Paypal account backed by stolen cards, withdrawal clean money from affiliate account to which no accessible link to Paypal accounts exist. etc, etc)
Smart cards/RFID are basically worthless for preventing card not present fraud, which is the lion's share of it.
[+] [-] haribilalic|15 years ago|reply
I have a card with information stored on a magnetic strip, a smart card, RFID and text. It doesn't matter which of these you use to steal the information, the result is the same.
[+] [-] radicaldreamer|15 years ago|reply
[+] [-] famousactress|15 years ago|reply
[+] [-] aashpak1|15 years ago|reply
[+] [-] brown9-2|15 years ago|reply
When I hand over my card to a merchant in a store, how do I know what they are swiping it in is a dedicated and secure card reader? I don't.
[+] [-] jschuur|15 years ago|reply
[+] [-] erikpukinskis|15 years ago|reply
If someone is using a fake app, they wouldn't be able to incorporate your secret image, and you'd be tipped off. They'd still get your credit card, but you'd know it right away, and could cancel your card/call the police right there.
Same thing banks do on web sites to prevent this same kind of attack.
[+] [-] Saad_M|15 years ago|reply
[+] [-] stitchy|15 years ago|reply
[+] [-] seanieb|15 years ago|reply
[+] [-] jschuur|15 years ago|reply
What about the value of also capturing the CVV1 code, which, as I understand it, is the only piece of info not already printed on the card?
[+] [-] brown9-2|15 years ago|reply
[+] [-] PHPAdam|15 years ago|reply
[+] [-] overred|15 years ago|reply
[+] [-] Groxx|15 years ago|reply
I disagree with tldr on this entirely, however; it's short, to the point, and an astoundingly good way of responding to the allegations (ie, FUD).
[+] [-] alexqgb|15 years ago|reply
[+] [-] stanleydrew|15 years ago|reply