

Square responds to Verifone's allegations - panarky
https://squareup.com/letters/security

======
rriepe
PR-wise, very well done on Square's part:

-Didn't mention the competitor by name, and stuck to addressing the arguments, without any messy ad hominem stuff.

-Set up a separate page to address this issue. They could have easily lost by simply shifting the focus of the discussion to questioning Square's security. Posting a message on their home page or their blog, for example, makes it an issue to people who had no previous exposure to the issue.

-Stuck to a basic analogy that everyone has experience with, and everyone can understand.

-Used the opportunity to discuss other aspects of Square without throwing it in the reader's face. I had no idea they had a partner bank.

Good on them. I feel Dorsey has a mind for this, but I also find myself
wondering if they had any PR consultation.

~~~
jemka
_I had no idea they had a partner bank._

Chase is probably their processor.

~~~
mey
Verifone mentioned that Chase was their gateway.

~~~
jemka
I think you mean payment processor. Verifone (and its systems) are actually
the gateway.

------
jakewalker
I used to develop kiosks that accepted credit cards for a company I started.
We purchased some $20-$30 USB card swipers in order to capture credit card
numbers and process orders. When you swiped the card, it would return an ASCII
text string with the credit card number, name, and some additional codes (CVV1
and CVV2, I believe). If I recall correctly, the magnetic strip has a number
of tracks, and you could program the reader to read one or all of these
tracks. If you submitted the full string from the swipe to your merchant, you
got a much better rate on the transaction.

The device was something like this:
[http://www.google.com/products/catalog?q=usb+card+swipe+read...](http://www.google.com/products/catalog?q=usb+card+swipe+reader&hl=en&client=safari&rls=en&prmd=ivns&resnum=3&biw=1214&bih=688&bav=on.2,or.&um=1&ie=UTF-8&cid=9253952205062488166&sa=X&ei=BoB4Tb7pJ5CWsgP4uqSDAw&ved=0CF0Q8wIwAA#ps-
sellers)

Anyway, seems to me there's nothing new here... just the fact that people can
now get a device capable of decoding the tracks on a magnetic strip for $0
instead of $30.

~~~
bena
Exactly. At first, I listened to Veriphone's complaints with an open mind,
because credit card fraud is pretty serious.

But then I started thinking, "That's it? A magstripe reader! You can get those
anywhere and it will do the exact same thing. Unencrypted."

We had to pick one up for a customer so the can use magstripe time cards. To
test it out, we plugged it into a computer, opened Notepad and started
scanning anything with a magstripe.

------
jakewalker
When the entrenched established companies start coming after you, that's when
you know you're onto something.

~~~
SwellJoe
This made me think, "I wish I could invest in Square."

------
latch
UPDATE Since I raised some serious concerns, I wanted to update from the
comments provided. Square _does not_ store the data on the device. The device
must have an internet connection and the data is sent, securely, online. In
other words, the original allegations are stupid any way you slice it.

\---

I think I'm missing something.

People seem to think that the problem is that Square can be used as a skimmer
- which I agree is stupid. That's like saying a pen & paper is a skimmer.

However, it _seems_ like the real issue is that Square _stores_ the data on
the device in the clear. What happens if the device gets stolen?

Imagine if a web app stored CC information in the clear and it got hacked,
people would rightfully hold the vendor/processor responsible. _If_ devices
get stolen and data is stored in the clear, Square is totally wrong and they
are totally deflecting/mis-representing the issue.

Can anyone with actual knowledge about this, rather than two business pointing
fingers, clear this up for us?

~~~
Groxx
From <http://www.sq-skim.com/>

> _Let me explain how easy it is to exploit the vulnerability.

A criminal signs up with Square, obtains the dongle for free and creates a
fake Square app on his smartphone. Insert the dongle into the audio jack of a
smartphone or iPad, and you've got a mobile skimming device that fits in your
pocket and that can be used to illegally collect personal and financial data
from the magnetic stripe of a payment card. It's shockingly simple.

The issue is that Square's hardware is poorly constructed and lacks all
ability to encrypt consumers' data, creating a window for criminals to turn
the device into a skimming machine in a matter of minutes._

The "problem" is that the Square reader thing doesn't encrypt its
communication to the iDevice.

And it shouldn't. As Square said in the letter, by merely _seeing_ your card
someone has enough information to steal from you. At best they could public-
key encrypt the data in the reader itself and pipe the encrypted data to their
servers... until someone cracks the key. Or makes a fake Square reader that's
identical to the ones out now. At which point we're back at square one. As it
stands, Square just made a simpler version of a standard credit card reader,
and for some reason they're claiming it's a security hole.

FWIW: Verifone just guaranteed I'll go out of my way to avoid ever being a
customer of theirs. This is FUD, plain and simple; they're probably doing it
because they see a threat and are trying to squash it, rather than out-perform
it.

~~~
enjo
Is that really right tho?

Lets follow the waiter example. In order to skim the card number they'd have
to put the card down, pull out a pen, and copy it. Likely within plain sight
of their employees. With a skimmer they just discretely 'double swipe' the
card and they got what they need. It certainly makes it a simpler attack
vector.

Now you don't really need square to do this. There are plenty of magnetic card
readers out there (I seem to recall someone got caught doing precisely this
with a PDA of some kind). That doesn't mean that Square should make it simple.
Why not provide some sort of encryption to the communications layer?

~~~
Groxx
People have cell phones with cameras - just take a picture. Nobody would think
it strange that they have a cell phone in-hand while walking around.

What sort of encryption would you think they could do? And how much larger and
more expensive would it make the reader? And where would it get enough power
to perform the encryption (which MUST be asymmetric to be secure, or the key
can be extracted from the device)? They'd lose all semblance of
interoperability between devices, add a battery, add significant cost, and all
to fight a bogus claim and do nothing to prevent someone from buying a
standard, unencrypted card reader that isn't under fire.

------
deadcyclo
Verifone has a point, but it comes through very badly in what they wrote. It's
all about the issue of trust and habit.

Skimming equipment, both software and hardware, has been freely available for
ages now. And it's quite simple. Anybody who knows how to use ebay and write a
small application can create quite sophisticated skimming equipment
themselves.

The problem is not the availability of the equipment or the know-how. The
problem is what "average Joe" is used to. If "average Joe" would balk when
presented an off the shelf mobile phone to swipe their card through, well,
then skimming using a mobile phone would be hard. But if the banks and payment
processors have trained "average Joe" to know that a mobile phone is a
completely legit way of reading credit cards, well then this type of skimming
is easy.

If no ATMs existed, well, then it would be really hard to skim cards using an
ATM-like device, because people would balk.

It's all about keeping the different legit ways of accepting credit card
payment to a minimum. The fewer legit ways, the fewer possibilities of
skimming.

On the other hand, there is no doubt in my mind that mobile payment will be
the future. Replacing the standard plastic will a chip in your mobile phone
will become commonplace soon, and we will also probably see applications where
you can transfer money to others simply by having both mobile phones interact.

So the question is if the big fuss really helps anyone, or if it's only
delaying the inevitable.

~~~
bradleyland
Giving any credibility to that argument is entirely fallacious because it
fails the infinite regression test. Ultimately, you end up back at the
argument that if we all relied on cash, there would be no credit/debit card
information to steal at all.

Making it difficult to process credit cards doesn't solve the problem of
credit card security.

~~~
deadcyclo
Not talking about making it difficult to process credit cards, but rather
standardizing it as much as possible. I will again use the ATM as an example.
If all ATMs looked exactly the same anybody should be able to detect fake ATMs
and ATMs sabbotaged with external skimming equipment.

Security wise an inexpensive portable standardised terminal would make much
more sense. In the end it would cost a bit more, but this would not
necessarilly translate to increased cost for the POS. Less skimming equals
less cost to the service providers _and_ the POS.

------
latch
The original allegation can be found at: <http://www.sq-skim.com/>

(if there's a permanent URL for that, I can't find it).

~~~
famousactress
Man, that letter's awesome. You could replace 'Square reader' with 'Pen' and
the letter's truth and value remain intact.

------
blutonium
Their defense essentially places the onus on their processor (JPMorgam Chase)
to employ "risk mitigation" techniques we all admonish PayPal for.

I guess the question is this: why not use smartcards or RFID? Other countries
have for years. Why not in the US?

~~~
patio11
Chase wouldn't be the one processing skimmed transactions, anyhow - it would
be any merchant or processor the thief could find with weak fraud controls. In
the US, ultimate liability for fraud is usually with the wronged merchant.

You know why Paypal lost a hundred million in fraud? One way was because they
were the weakest link at the time: Paypal got used for cashing. (The hardest,
riskiest part of stealing credit cards: transforming a credit card number into
hard currency, without getting arrested. There are any number of ways to do
this: buy items with a high resale value on eBay, pay with Psypal backed by
stolen cards, sell items for cash. Set up affiliate account with merchant of
high margin item, put sham transactions through using Paypal account backed by
stolen cards, withdrawal clean money from affiliate account to which no
accessible link to Paypal accounts exist. etc, etc)

Smart cards/RFID are basically worthless for preventing card not present
fraud, which is the lion's share of it.

~~~
metageek
I know it's an innocent typo, but I love the idea of Psypal. That's when they
use psychics for fraud detection.

------
famousactress
Big kudos for keeping the rebuttal short and clear.

------
aashpak1
Sure, the CC data can easily be stolen even now but assuming square gets
popular, consumers then will have to "trust one more device" in addition to
the card-readers used by merchants, any other place where you swipe the card,
the waiter, etc etc. And more so because its much easier to write rouge apps
or malware-apps for smartphones than to hack the dedicated card readers. In
case of a malware-app, the danger is not just limited to one merchant. It
seems to me that the real question raised by verifone is not being given
enough concern. Why can't the square card encrypt the CC data ?? with a
private key that only square-app can make sense of?

~~~
brown9-2
_And more so because its much easier to write rouge apps or malware-apps for
smartphones than to hack the dedicated card readers_

When I hand over my card to a merchant in a store, how do I know what they are
swiping it in is a dedicated and secure card reader? I don't.

~~~
blibble
In the UK the merchant is not permitted to touch the customers card; all the
card readers face the customer and are used by the customer (restaurants all
have mobile PIN entry devices).

Now each credit card in the UK is has a chip (which uses end-to-end crypto),
they're looking to phase out magstripes completely.

Currently if the merchant has to fallback to using the magstripe then he'll
have considerably less protection against customer fraud, and he'll pay a much
higher transaction fee.

Square would not be permitted to operate in the UK.

~~~
nmcfarl
_Square would not be permitted to operate in the UK._

However neither would would the other 99% of the credit card in the US. The US
infrastructure is insecure, and Square is no worse than the rest of it.

------
erikpukinskis
One thing that could help this would be if Square let you pick a secret image,
and they would show it in the app, when you're signing.

If someone is using a fake app, they wouldn't be able to incorporate your
secret image, and you'd be tipped off. They'd still get your credit card, but
you'd know it right away, and could cancel your card/call the police right
there.

Same thing banks do on web sites to prevent this same kind of attack.

------
Saad_M
A very measured and sensible response. No set of security measures is 100%
perfect. How you deal with and manage the imperfections is the real test.

------
stitchy
Wait. Isn't the data on the magnetic strip unencrypted anyway? Sure, your
little card reader could encrypt the data, then send little ones and zeros
through the headphone jack to be decrypted by your proprietary software, but
the original data still isn't encrypted. It's just sitting there on the card
in all of it's unencrypted glory. This is essentially security through
obfuscation.

------
seanieb
Relevant, how Verifone have been gunning for Square since teh start:
<http://www.youtube.com/watch?v=sVOzysmxhyM>

------
jschuur
At best, the issue I can see here is that Square would make it easy to very
quickly and casually skim a card without having to look at it, or be seen
writing down the info from it. A marginal advantage if you already have access
to the card, but conceivably, a fast fingered waiter could pull this off in
public view, and the Square app is perhaps a little easier to conceal than
other card readers.

What about the value of also capturing the CVV1 code, which, as I understand
it, is the only piece of info not already printed on the card?

~~~
brown9-2
CVV is printed on the back of the card. Thus the point remains, once I hand
over my card to someone, all of the information they need to use my card is
printed right on the card.

~~~
jschuur
My understanding is that the CVV2 is printed on the back of the card for phone
and online orders and the CVV1 encoded on the strip for in person orders when
the card is swiped.

I'm not sure what the security rationale is for 2 distinct codes. Maybe the
CVV1 value is designed to prevent thieves from making swipable cards when they
only have the credit card number and didn't clone a card (e.g. they obtained
the card number from a rogue or compromised online store).

~~~
metageek
The two codes are probably because the banks distinguish between merchants
that take cards online and those that only accept physical cards; the latter
get charged less, because they're a lower risk. (At least, that used to be the
case.) With two codes, the banks can require physical-only merchants to
include the CVV2.

------
PHPAdam
Change is so Scary to big Business.

------
overred
~

~~~
Groxx
TiL;De...R? If so, that's kinda clever...

I disagree with tldr on this entirely, however; it's short, to the point, and
an _astoundingly_ good way of responding to the allegations (ie, FUD).

------
alexqgb
tl:dr - FUD backfires, Dorsey FTW.

~~~
stanleydrew
It was already pretty short.

