

Is sending money as the subject of a mail, a really good idea? - djsampath

AFAIK SMTP can be spoofed pretty easily. Does anyone know the measures that Square https:&#x2F;&#x2F;square.com&#x2F;cash uses to protect transactions?
======
dangrossman
Click the "Security" link on that very page.

[https://squareup.com/help/en-us/article/5144-square-cash-
sec...](https://squareup.com/help/en-us/article/5144-square-cash-security)

If you use an app, they sign the mails. If you use regular e-mail, you have to
confirm the transfer, which means simply spoofing a mail from you won't work.

~~~
nlfurniss
I haven't confirmed any transfers. I get email and SMS alerts, but once I
press send it's done.

------
michaelstewart
Yeah it seems fairly problematic, I remember an article on HN about how easily
it could be circumvented. I'm not sure what Square is doing to protect
transactions. However, with over $300M in VC money I'm sure Square will cover
any fraud until they figure out a way to make things more secure just like
PayPal did in 2000.

~~~
djsampath
Fair enough - It's just that I feel like they need to make this really
apparent before I would feel comfortable enough to use this as a product.

Purely from a product point of view, I wonder if this is one of the cases
where having more friction to send money from one account to another, is a
good thing.

Perhaps there is now a stronger motivation to write a javascript browser
exploit Step 1: that detects an active gmail (or other webmail) session Step
2: then sends out an email of small enough $ amounts from a large number of
email addresses Step 3: send the email to a federated set of email accounts
that Square considers legitimate users with associated debit cards Step 4:
Rinse, repeat this for a few hops to make tracing a trifle harder. Step 5:
Make Ocean's 11 bag of tricks look as bad as a O(2^n) algorithm.

If they have indeed figured this part out - then I would be really curious to
learn what that gotcha is!

~~~
dangrossman
It's extremely unlikely someone will discover a JavaScript bug that provides
access to the interpreter running in _other_ tabs. Regardless, if someone has
gained control of your webmail tab, they have control of the whole browser. At
that point, there's no need to play around with Square Cash e-mail tricks, the
malware author can steal credit and debit cards, bank account numbers and
other valuable data directly. That's the "gotcha"; if you've already broken
into a bank's vault, you don't go back to the tellers and try to make
withdrawals with fake IDs.

