Electronic payment firm VeriFone launched a surprise attack on hot mobile-payment startup Square today, with CEO Douglas Bergeron penning an open letter that chastised Square’s security flaws, urged a recall of Square’s products, and asked credit giants from Visa to MasterCard to review an app VeriFone created, “in less than an hour,” which supposedly “skims” or steals a consumer’s credit card info through Square.
Let’s examine whether this amounts to a bold PR move from a defensive competitor or whether Square actually has serious security loopholes to fix.
VeriFone’s biggest charge is that Square’s hardware doesn’t encrypt consumer data. Once the card is swiped, information is encrypted only after it reaches Square’s app, VeriFone says. During the time in between, charges Bergeron, there’s a “window for criminals to turn the device into a skimming machine” simply by creating a fake Square app that intercepts the unencrypted information.
Of course, consumer data could just as easily be stolen on any other device. Rather than create fake Square software, one needs only an electronic skimmer–say, a mock VeriFone device–to pull data from a victim’s card after it’s swiped during a seemingly legitimate transaction. It may look like you just swiped through your typical bulky credit card machine–until you get a call from your bank a few weeks later saying your card info has been stolen. Such thefts are not uncommon at bars, restaurants, or in ATMs.
But even easier than using a skimmer? Just copy down the information that appears on the card. How many times have we given credit cards to waiters, who wander off into the back room to complete the transaction? Couldn’t they just copy down your name, card number, security code, and expiration date? It’s not as if that information is encrypted.
Yet Square’s defense cannot be that VeriFone and other devices are just as insecure. While other card readers face similar security flaws, Square’s loopholes seem to be the most seamlessly vulnerable. You don’t need a fake skimmer–the information can be skimmed through the actual Square device, which, according to VeriFone, does not encrypt consumer data.
Perhaps part of the issue is that Square’s hardware is designed for mass consumption. After all, the device is given away for free, and as COO Keith Rabois recently told Fast Company manufacturing costs are “measured in the dollars.” Does that low cost reduce the device’s security capabilities? Square declined to comment for the record by press time, but, tellingly, in the security section of its website, Square says only its software–not its hardware–is developed using industry standard security practices.
That’s unlike mobile payment competitor Intuit, whose GoPayment system uses a Mophie card reader that instantly encrypts consumer data for security. Intuit’s hardware costs $179.95–but specifies that “after swiping the card, data is immediately encrypted using Intuit’s industry-standard security methods.” They also offer a free version of a card reader–with the exact same security encryption.
When asked recently about Square’s security, Rabois told Fast Company that “design matters in security.” “The more well constructed a product is, the more people trust it,” Rabois said.
Yet perception of security does not equate with a system that is actually secure. Perhaps that is where Square stumbled: trusting that designing a sleek device would somehow create real–as opposed to perceived–security. “If something looks well designed, it appeals to people,” Rabois said. “They understand that a lot of care went into it, and that helps–it’s the best way to ease concerns.”
Following VeriFone’s damning accusations, Square may have to go beyond design to ease consumer concerns about safety.
No doubt, this is a clear PR move by VeriFone, but that hasn’t stopped us from wondering whether Square’s hardware is easily susceptible to card skimming. Do Square’s devices encrypt consumer information once a card is swiped? We’re waiting to hear back from Square for answers.
Follow @fastcompany on Twitter.