Yesterday, VeriFone (a $4.2b company) launched a harsh public attack on upstart rival Square (a less-than-fifty-people, $37.5m in funding startup). You may remember Square from previous coverage on TUAW or its impressive advertising last year. So what’s going on, exactly?
The basic gist of the Square service is simple. It sends you a free little reader doohicky which you plug into your iPhone or iPod touch’s headphone/mic port, and you get an accompanying app for free from the App Store. When you want to charge money from someone’s card, you swipe it, enter the amount, and they sign for the payment on your screen.
Square takes a transaction fee of a flat 2.75% for a swiped transaction (a little more if you manually key the card details in), but there are no other fees of any kind — not on the hardware nor a monthly service fee. There’s also no credit checks or complicated paperwork to sign up for Square in the first place.
This refreshing (and frankly, revolutionary) charge structure has made Square a big hit with the sorts of small businesses that normally wouldn’t bother with a card processing machine — particularly an expensive wireless one for those who work outdoors, such as farmers’ market stall proprietors, craft fair booth holders and the like. If the service continues to grow, this could be as disruptive to the entrenched credit card processing industry as Skype has been for international phone calls.
It certainly seems that Square’s tactics have ruffled VeriFone’s feathers. The payment processing giant attacked Square’s security in an open letter where even the domain used — “sq-skim.com” — is dripping with concentrated linkbait. “[T]here is a serious security flaw that Square has overlooked,” wrote VeriFone’s CEO Douglas G. Bergeron, “that places consumers in dire risk.” He then goes on to outline an attack against the Square service, complete with a helpful demo video showing the attack in action.
The essence of VeriFone’s gripe is as follows. It claims anyone can obtain a Square reader, but substitute their own app for Square’s. The fraudster cons the victim into handing over their card, perhaps by posing as a real merchant, and runs the card through their reader. Rather than carrying out a transaction, though, their special app simply records all the card details. The fraudster either pretends the card didn’t go through or (if their app is sophisticated enough to copy the Square one’s “transaction successful” screen) simply says “thank you” and hands the card back. Et voilà; a card cloned in seconds and the mark doesn’t suspect a thing (that is, if they fail to notice the lack of an electronic receipt from Square in their email). We are left to presume that VeriFone’s hastily launched Square competitor, Paywave Mobile, does not suffer from this problem.
Square’s CEO Jack Dorsey responded quickly and hit back with an open letter of his own in which he simply states that Square’s approach is no less insecure than anyone else’s and reiterate that they have the complete confidence of their processing house, JPMorgan Chase. In a “I’m telling Dad on you” moment, VeriFone’s previous letter specifically called on JPMorgan Chase to comment on the matter.
As is usually the case when companies go to PR war, neither one of them are telling the whole story.
First, let’s consider VeriFone’s claims. The Square reader does indeed do something wrong, from a technical security standpoint; it doesn’t encrypt the data that is sent from the reader to the app. If it did, then the fraudulent app idea wouldn’t work. And it’s true that the reader can be subverted to copy, in a split second, all the data on the magnetic stripe of the card. This includes the card holder’s name, the card number, the expiry date, and a special field called the “CVV1” (sometimes called the “card security code,” which is used to confirm transactions).
Sounds bad, right? Well, it’s not as bad as you might think. Look at that list again — everything on it except the CVV1 is printed right on the card itself. So apart from that three digit code, the Square reader is only doing as good a job at cloning the card as a digital camera could do.
Now, that three digit code is certainly troublesome — the thief gets more data with the Square reader than he can with the naked eye. But then again, it’s not like card readers are not easily and cheaply available, because magnetic stripes are in common use for all sorts of applications. It’s true that the Square reader is a possible attack vector, but it’s only one of many and does not deserve the hyperbole used in VeriFone’s open letter.
It’s also worth noting that this entire scenario relies on the fraudster persuading a person to hand over their credit card for a few moments, which would probably involve them posing as a merchant. Compared to installing a skimmer on the inside of an ATM or hacking a card machine in a busy restaurant, this is a very laborious way for them to go about their illicit business.
Moreover, after copying the card details with a Square reader, the thief has no way to put a valid transaction through, which runs the risk of arousing the mark’s suspicions — made more difficult by the fact that Square is designed to provide instant feedback to purchasers by letting them request an email or SMS receipt at the moment of the transaction, which includes the vendor’s information. The best card skimming schemes are those where the person has no idea until their credit card bill comes in the post because that gives the thief the longest time possible to use the card.
And finally, note that in VeriFone’s scenario the thief still doesn’t have the CVV2 number — the so-called “signature digits” — which he would need to use the cloned card for online shopping. These digits are not stored on the magnetic stripe at all, but only printed on the card itself in a font too small to be easily read with a casual glance. (If you’re really worried about those getting skimmed or stolen, memorize them/write them down separately and then obscure them with a Sharpie or a bit of tape.)
So Square’s defense — that it’s no more insecure than “a pen and paper” — isn’t completely true (you can use a Square reader to record the CVV1 number, which is a bit more than you can copy with the naked eye), but is pretty solid. And VeriFone has managed to portray itself as a bullying older brother running scared of its talented younger sibling — quite the PR own goal. This commotion has probably ended up giving Square greater credibility (or, at a minimum, greater exposure).
Meanwhile, VeriFone’s accusations have revealed a deeper truth; not so much that there are flaws in Square’s process, but that the entire role played by magnetic stripe data in credit card handling is problematic. Here in Europe, rising fraud rates prompted most of our banks and retailers to move to a somewhat more secure system, Chip and PIN.
Chip and Pin requires all card transactions to be authorized by the entry of the PIN on a keypad presented by the retailer, in much the same fashion as ATM card transactions are in the USA. This is classic two-factor authentication that relies on something the customer possesses — their card — and something they know — their PIN. The PIN can be rigorously checked by a machine and is more-or-less unguessable to fraudsters (unless they’re watching over the customer’s shoulder), whereas signatures on credit cards can be easily faked and are often not subjected to much scrutiny by the retailer.
Whilst not perfect, Chip and PIN has been shown to cut fraud rates significantly. It seems likely that the US will make a similar change in time for most credit card transactions. Interestingly, this will break Square’s current technical model completely — they will need new, more expensive readers to adapt to that, and their current reliance on magnetic stripe technology also means they cannot expand internationally into territories where Chip and PIN is the norm.