-Didn't mention the competitor by name, and stuck to addressing the arguments, without any messy ad hominem stuff.
-Set up a separate page to address this issue. They could have easily lost by simply shifting the focus of the discussion to questioning Square's security. Posting a message on their home page or their blog, for example, makes it an issue to people who had no previous exposure to the issue.
-Stuck to a basic analogy that everyone has experience with, and everyone can understand.
-Used the opportunity to discuss other aspects of Square without throwing it in the reader's face. I had no idea they had a partner bank.
Good on them. I feel Dorsey has a mind for this, but I also find myself wondering if they had any PR consultation.
One more thing that I think is very good for a situation like this. They kept it short, to the point. The message couldn't be more clear, and people can get suspicious if you're doing PR to clear up a fiasco, but you're rambling. In those situations, it's like you're obfuscating the message to hide the real deal.
I used to develop kiosks that accepted credit cards for a company I started. We purchased some $20-$30 USB card swipers in order to capture credit card numbers and process orders. When you swiped the card, it would return an ASCII text string with the credit card number, name, and some additional codes (CVV1 and CVV2, I believe). If I recall correctly, the magnetic strip has a number of tracks, and you could program the reader to read one or all of these tracks. If you submitted the full string from the swipe to your merchant, you got a much better rate on the transaction.
Anyway, seems to me there's nothing new here... just the fact that people can now get a device capable of decoding the tracks on a magnetic strip for $0 instead of $30.
Exactly. At first, I listened to Veriphone's complaints with an open mind, because credit card fraud is pretty serious.
But then I started thinking, "That's it? A magstripe reader! You can get those anywhere and it will do the exact same thing. Unencrypted."
We had to pick one up for a customer so the can use magstripe time cards. To test it out, we plugged it into a computer, opened Notepad and started scanning anything with a magstripe.
UPDATE
Since I raised some serious concerns, I wanted to update from the comments provided. Square does not store the data on the device. The device must have an internet connection and the data is sent, securely, online. In other words, the original allegations are stupid any way you slice it.
---
I think I'm missing something.
People seem to think that the problem is that Square can be used as a skimmer - which I agree is stupid. That's like saying a pen & paper is a skimmer.
However, it seems like the real issue is that Square stores the data on the device in the clear. What happens if the device gets stolen?
Imagine if a web app stored CC information in the clear and it got hacked, people would rightfully hold the vendor/processor responsible. If devices get stolen and data is stored in the clear, Square is totally wrong and they are totally deflecting/mis-representing the issue.
Can anyone with actual knowledge about this, rather than two business pointing fingers, clear this up for us?
>Let me explain how easy it is to exploit the vulnerability.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you've got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It's shockingly simple.
The issue is that Square's hardware is poorly constructed and lacks all ability to encrypt consumers' data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
The "problem" is that the Square reader thing doesn't encrypt its communication to the iDevice.
And it shouldn't. As Square said in the letter, by merely seeing your card someone has enough information to steal from you. At best they could public-key encrypt the data in the reader itself and pipe the encrypted data to their servers... until someone cracks the key. Or makes a fake Square reader that's identical to the ones out now. At which point we're back at square one. As it stands, Square just made a simpler version of a standard credit card reader, and for some reason they're claiming it's a security hole.
FWIW: Verifone just guaranteed I'll go out of my way to avoid ever being a customer of theirs. This is FUD, plain and simple; they're probably doing it because they see a threat and are trying to squash it, rather than out-perform it.
Lets follow the waiter example. In order to skim the card number they'd have to put the card down, pull out a pen, and copy it. Likely within plain sight of their employees. With a skimmer they just discretely 'double swipe' the card and they got what they need. It certainly makes it a simpler attack vector.
Now you don't really need square to do this. There are plenty of magnetic card readers out there (I seem to recall someone got caught doing precisely this with a PDA of some kind). That doesn't mean that Square should make it simple. Why not provide some sort of encryption to the communications layer?
People have cell phones with cameras - just take a picture. Nobody would think it strange that they have a cell phone in-hand while walking around.
What sort of encryption would you think they could do? And how much larger and more expensive would it make the reader? And where would it get enough power to perform the encryption (which MUST be asymmetric to be secure, or the key can be extracted from the device)? They'd lose all semblance of interoperability between devices, add a battery, add significant cost, and all to fight a bogus claim and do nothing to prevent someone from buying a standard, unencrypted card reader that isn't under fire.
Does the PCI security standards mention data communication encryption? If so, would this apply to the communication of data from the reader device to the software on the phone?
The issue is truly the stupid one you mention. But it makes sense if you think about it from the point of view of a company whose business is "secure hardware" to bash the Square hardware as somehow being "insecure".
Isn't it possible that malware which found its way onto the phone could skim off the data as its being swiped? This is entirely different than a typical physical skimmer, as the person swiping the card for entirely legitimate reasons is likely unaware of the malware, and would be as much a victim as much as the cardholder. From what I understand, the Square device does not encrypt the data sent to the Square app, making it easier for malware to capture transaction data as its processed.
Verifone has a point, but it comes through very badly in what they wrote. It's all about the issue of trust and habit.
Skimming equipment, both software and hardware, has been freely available for ages now. And it's quite simple. Anybody who knows how to use ebay and write a small application can create quite sophisticated skimming equipment themselves.
The problem is not the availability of the equipment or the know-how. The problem is what "average Joe" is used to. If "average Joe" would balk when presented an off the shelf mobile phone to swipe their card through, well, then skimming using a mobile phone would be hard. But if the banks and payment processors have trained "average Joe" to know that a mobile phone is a completely legit way of reading credit cards, well then this type of skimming is easy.
If no ATMs existed, well, then it would be really hard to skim cards using an ATM-like device, because people would balk.
It's all about keeping the different legit ways of accepting credit card payment to a minimum. The fewer legit ways, the fewer possibilities of skimming.
On the other hand, there is no doubt in my mind that mobile payment will be the future. Replacing the standard plastic will a chip in your mobile phone will become commonplace soon, and we will also probably see applications where you can transfer money to others simply by having both mobile phones interact.
So the question is if the big fuss really helps anyone, or if it's only delaying the inevitable.
Giving any credibility to that argument is entirely fallacious because it fails the infinite regression test. Ultimately, you end up back at the argument that if we all relied on cash, there would be no credit/debit card information to steal at all.
Making it difficult to process credit cards doesn't solve the problem of credit card security.
Not talking about making it difficult to process credit cards, but rather standardizing it as much as possible. I will again use the ATM as an example. If all ATMs looked exactly the same anybody should be able to detect fake ATMs and ATMs sabbotaged with external skimming equipment.
Security wise an inexpensive portable standardised terminal would make much more sense. In the end it would cost a bit more, but this would not necessarilly translate to increased cost for the POS. Less skimming equals less cost to the service providers _and_ the POS.
As Raymond Chen puts it, "it rather involves being on the other side of this airtight hatchway". Why even bother with the dongle, just photograph the card (or punch the owner with a bat) and you're done.
Sure, the CC data can easily be stolen even now but assuming square gets popular, consumers then will have to "trust one more device" in addition to the card-readers used by merchants, any other place where you swipe the card, the waiter, etc etc.
And more so because its much easier to write rouge apps or malware-apps for smartphones than to hack the dedicated card readers. In case of a malware-app, the danger is not just limited to one merchant.
It seems to me that the real question raised by verifone is not being given enough concern.
Why can't the square card encrypt the CC data ?? with a private key that only square-app can make sense of?
In the UK the merchant is not permitted to touch the customers card; all the card readers face the customer and are used by the customer (restaurants all have mobile PIN entry devices).
Now each credit card in the UK is has a chip (which uses end-to-end crypto), they're looking to phase out magstripes completely.
Currently if the merchant has to fallback to using the magstripe then he'll have considerably less protection against customer fraud, and he'll pay a much higher transaction fee.
Square would not be permitted to operate in the UK.
A few years ago there was someone at a kiosk in a mall in NYC (I think), who got busted skimming. She was double-swiping, once through their POS system, and then a second time on a Palm Pilot with a magnetic stripe reader attached. She got busted because someone saw her doing it and got suspicious. Now, think about the number of times you hand over your card and it leaves your line of sight to be swiped. Other than retail stores, it happens to me all the time.
Presumably, encryption would add hardware costs to a device that they're giving away tens of thousands off for free, and only provide the illusion of additional security on top of there existing security measures once it hits the iOS client (pure speculation on my behalf).
If they baked the server's public key into the device and encrypted data with that, then only the server would be able to access the raw card data. This would prevent the device from being useful for anyone but Square. It may not be worthwhile to do so, but it certainly isn't the illusion of security if your concern is accessing the raw data.
Chase wouldn't be the one processing skimmed transactions, anyhow - it would be any merchant or processor the thief could find with weak fraud controls. In the US, ultimate liability for fraud is usually with the wronged merchant.
You know why Paypal lost a hundred million in fraud? One way was because they were the weakest link at the time: Paypal got used for cashing. (The hardest, riskiest part of stealing credit cards: transforming a credit card number into hard currency, without getting arrested. There are any number of ways to do this: buy items with a high resale value on eBay, pay with Psypal backed by stolen cards, sell items for cash. Set up affiliate account with merchant of high margin item, put sham transactions through using Paypal account backed by stolen cards, withdrawal clean money from affiliate account to which no accessible link to Paypal accounts exist. etc, etc)
Smart cards/RFID are basically worthless for preventing card not present fraud, which is the lion's share of it.
It's not Square's defence. It's every merchants'/processors' defence.
I have a card with information stored on a magnetic strip, a smart card, RFID and text. It doesn't matter which of these you use to steal the information, the result is the same.
Yeah, but if the costumers are cautious to always use the chip instead of the magnetic strip it's much more difficult for criminals to steal the info without the owner noticing it.
One thing that could help this would be if Square let you pick a secret image, and they would show it in the app, when you're signing.
If someone is using a fake app, they wouldn't be able to incorporate your secret image, and you'd be tipped off. They'd still get your credit card, but you'd know it right away, and could cancel your card/call the police right there.
Same thing banks do on web sites to prevent this same kind of attack.
Wait. Isn't the data on the magnetic strip unencrypted anyway? Sure, your little card reader could encrypt the data, then send little ones and zeros through the headphone jack to be decrypted by your proprietary software, but the original data still isn't encrypted. It's just sitting there on the card in all of it's unencrypted glory. This is essentially security through obfuscation.
At best, the issue I can see here is that Square would make it easy to very quickly and casually skim a card without having to look at it, or be seen writing down the info from it. A marginal advantage if you already have access to the card, but conceivably, a fast fingered waiter could pull this off in public view, and the Square app is perhaps a little easier to conceal than other card readers.
What about the value of also capturing the CVV1 code, which, as I understand it, is the only piece of info not already printed on the card?
CVV is printed on the back of the card. Thus the point remains, once I hand over my card to someone, all of the information they need to use my card is printed right on the card.
My understanding is that the CVV2 is printed on the back of the card for phone and online orders and the CVV1 encoded on the strip for in person orders when the card is swiped.
I'm not sure what the security rationale is for 2 distinct codes. Maybe the CVV1 value is designed to prevent thieves from making swipable cards when they only have the credit card number and didn't clone a card (e.g. they obtained the card number from a rogue or compromised online store).
The two codes are probably because the banks distinguish between merchants that take cards online and those that only accept physical cards; the latter get charged less, because they're a lower risk. (At least, that used to be the case.) With two codes, the banks can require physical-only merchants to include the CVV2.
-Didn't mention the competitor by name, and stuck to addressing the arguments, without any messy ad hominem stuff.
-Set up a separate page to address this issue. They could have easily lost by simply shifting the focus of the discussion to questioning Square's security. Posting a message on their home page or their blog, for example, makes it an issue to people who had no previous exposure to the issue.
-Stuck to a basic analogy that everyone has experience with, and everyone can understand.
-Used the opportunity to discuss other aspects of Square without throwing it in the reader's face. I had no idea they had a partner bank.
Good on them. I feel Dorsey has a mind for this, but I also find myself wondering if they had any PR consultation.