VeriFone Talks Smack: Does Square Actually Have Security Flaws?

VeriFone and Square

Electronic payment firm VeriFone launched a surprise attack on hot mobile-payment startup Square today, with CEO Douglas Bergeron penning an open letter that chastised Square's security flaws, urged a recall of Square's products, and asked credit giants from Visa to MasterCard to review an app VeriFone created, "in less than an hour," which supposedly "skims" or steals a consumer's credit card info through Square.

Let's examine whether this amounts to a bold PR move from a defensive competitor or whether Square actually has serious security loopholes to fix.

VeriFone's biggest charge is that Square's hardware doesn't encrypt consumer data. Once the card is swiped, information is encrypted only after it reaches Square's app, VeriFone says. During the time in between, charges Bergeron, there's a "window for criminals to turn the device into a skimming machine" simply by creating a fake Square app that intercepts the unencrypted information.

Of course, consumer data could just as easily be stolen on any other device. Rather than create fake Square software, one needs only an electronic skimmer—say, a mock VeriFone device—to pull data from a victim's card after it's swiped during a seemingly legitimate transaction. It may look like you just swiped through your typical bulky credit card machine—until you get a call from your bank a few weeks later saying your card info has been stolen. Such thefts are not uncommon at bars, restaurants, or in ATMs.

But even easier than using a skimmer? Just copy down the information that appears on the card. How many times have we given credit cards to waiters, who wander off into the back room to complete the transaction? Couldn't they just copy down your name, card number, security code, and expiration date? It's not as if that information is encrypted.

Yet Square's defense cannot be that VeriFone and other devices are just as insecure. While other card readers face similar security flaws, Square's loopholes seem to be the most seamlessly vulnerable. You don't need a fake skimmer—the information can be skimmed through the actual Square device, which, according to VeriFone, does not encrypt consumer data.

Perhaps part of the issue is that Square's hardware is designed for mass consumption. After all, the device is given away for free, and as COO Keith Rabois recently told Fast Company manufacturing costs are "measured in the dollars." Does that low cost reduce the device's security capabilities? Square declined to comment for the record by press time, but, tellingly, in the security section of its website, Square says only its software—not its hardware—is developed using industry standard security practices.

Square securithy

That's unlike mobile payment competitor Intuit, whose GoPayment system uses a Mophie card reader that instantly encrypts consumer data for security. Intuit's hardware costs $179.95—but specifies that "after swiping the card, data is immediately encrypted using Intuit's industry-standard security methods." They also offer a free version of a card reader—with the exact same security encryption. 

When asked recently about Square's security, Rabois told Fast Company that "design matters in security." "The more well constructed a product is, the more people trust it," Rabois said.

Yet perception of security does not equate with a system that is actually secure. Perhaps that is where Square stumbled: trusting that designing a sleek device would somehow create real—as opposed to perceived—security. "If something looks well designed, it appeals to people," Rabois said. "They understand that a lot of care went into it, and that helps—it's the best way to ease concerns."

Following VeriFone's damning accusations, Square may have to go beyond design to ease consumer concerns about safety.

No doubt, this is a clear PR move by VeriFone, but that hasn't stopped us from wondering whether Square's hardware is easily susceptible to card skimming. Do Square's devices encrypt consumer information once a card is swiped? We're waiting to hear back from Square for answers.

Follow @fastcompany on Twitter.

Add New Comment

12 Comments

  • Fuelco50

    Never had card compromised from Square, but have had it thru a Verfone terminal

  • Laurel Redd

    I will say as a Square user that I believe that a lot if the negative publicity that VeriFone is putting out about the square reader is incorrect and is sour grapes.  For heaven sakes VISA has just invested in the SquareUp company!  That seems to show to me that its much safer than Veriphone is making it out to be.  I think that VeriFone wants to kill off a viable competitor with half truths. Does it state in VeriFone's open letter that it took VeriFone SIX MONTHS to figure out how the square dongle even worked to get to a starting point to write that code not just the hour to write a program which may be easy once you take the 6 months R&D that was needed?  Does it state that their programmer is already familiar with banking and commerce software and cc processing software and encryption? NO it does not.

    In conclusion - I have to stick with my Square even so, I CANT afford as a small merchant to pay the merchant fees (which VeriFone doesn't include!) + the monthly VeriFone fees + the activation fee + the cost of the reader itself.  I will say that even if I could that at this point I would not as what they have just attempted with this slander campaign is pretty shady.

  • Keith McPherson

    Criminals will always find a way to circumvent just about security measure if they are determined enough but as a business owner who uses the Square service daily I have some issues with exactly how, in a real world situation, this might work. When I applied initially to use Square's service it was essentially the same as any card processor in that I had to provide bank information and go through a credit check and have my bank account verified. Once your account is verified you can use the app to manually enter card numbers so I suppose if you were to simply write down information you could use it in this way but they do require one additional bit of information to run charges this way and you would need to ask the cardholder this as it is not on the card anywhere. Any system that allows manually entry of numbers to run a charge could be used in this manner I suppose. In addition Square does not ship a reader to you until your account has been verified. Even if you go through this process and get verified and have a reader shipped to you you need to offer something that a cardholder would actually give you his card to initiate a transaction for. Since the reader is attached to the phone any transaction I do is in the presence of the card holder and obviously they are paying for my service. Once the card is swiped the program does not allow me to retrieve that card number so even if i wanted to use that number fraudulently I would need to ask for that extra piece of information to run it manually. Not smart if I am a legitimate service. So even with a verified account and a reader the criminal would have to find a way to get card numbers either illicitly or have someone physically hand them their card. So whether or not the card information is encrypted or not, in real world use, it seems very unlikely that it could be used in this fashion. At some point the consumer must take some reasonable precautions with their card information and the only way I see for the Square reader to be used this way is for consumers to hand out this information when no product or service is being offered. Unlikely at best. All transactions are geo-tagged as well so even if a server at a restaurant were to get a reader and surreptitiously run your card eventually this would be fairly obvious. Theory and reality are very different and to run a fraud in this manner I think would take a well financed criminal ring with very high technical skills in which case I don't think any system could be completely secure,

  • Larry Godfrey

    Stephen makes a good point. The other point to consider it that existing skimming devices are inexpensive but they are not connected to a cellular network that allows the stolen track data to be immediately transmitted anywhere in the world. Existing skimming devices are also not susceptible to viruses. The real attack vector here is a virus that infects the smart phone where the unencrypting reader is being used and steals the card track data without the user even being aware, that is a much bigger risk then one individual using a skimming device.

  • David Fields

    What I'm seeing here is an automatic assumption that Square is insecure. Personally, I don't know one way or another, but it seems to me that whether you're using a VeriFone reader or a Square reader, intercept software would still be able to rip the data and I don't care how good the hardware encryption is--someone's bound to defeat it sooner or later. For all we know, the Square reader may not even work without Square's own software driving it.

    Personally, I'd like to know a lot more before I make any decisions.

  • Austin Reader

    I love this sentence:

    "Let's examine whether this amounts to a bold PR move from a defensive competitor or whether Square actually has serious security loopholes to fix."

    You've got to be kidding me! "A bold PR move"? I think you meant "a cheap attack".

  • Mark Johnson

    I had square and was checking it out for months and could not find out why Square on their website has PCI compliant label for Tier ONE but if you look at PCI Validated Payment Applications you do not see square on it?

    Validated Payment Applications from PCI ( VISA MASTER CARD Approved APPS site for payments) If it is not on this site it should not be using credit cards.

    https://www.pcisecuritystandar...

    Square Tier one logo on website
    https://help.squareup.com/cust...

    MJ

    Something Smells funny around here! Square is it really secure?

  • Stephen Taylor

    This article fails to address an important factual issue- the difference between the data that is printed on the card and the track data that is hidden in the magnetic strip of the card.

    It's true that a waiter can copy down your card number, expiration date, and security code. But a skimming device is much more devious that that- it collects the security information that is hidden on the mag strip, allowing the thief to actually (quite easily) create a duplicate card that is tied to the same account. If this is a credit card, fraudulent charges could be made under a cardholder's name that would be very difficult to prove as fraudulent. If this is a debit card, the thief would be able to go to an ATM machine with a copy of your debit card and clean out your account within a couple of days. And because there is absolutely no measurable distinction between your card and the fraudulent one, it will be difficult if not impossible to dispute those transactions and recover your money. If Visa, MasterCard, and the other card brands don't pressure Square to issue a total recall, they are going to face some major expenses in damage control for all of the accounts that will be compromised. It will be very interesting indeed to follow these developments and see how long it takes before a major fraud ring comes to light using supposedly 'safe' Square hardware to compromise thousands of consumer bank accounts with duplicated cards.