
VeriFone Takes The Gloves Off, Accuses Square Of Serious Security Hole - thankuz
http://techcrunch.com/2011/03/09/verifone-takes-the-gloves-off-accuses-square-of-serious-security-hole/
======
modeless
I've just discovered another serious security hole! When you hand your credit
card to a waiter, they can see the credit card number _totally unencrypted_
with their eyes! Clearly the solution is to blind all waiters.

The truth is credit card "security" is a bad joke. The only real defense these
days is the fact that every payment processor has extremely sensitive
fraudulent transaction detection systems because of the consumer protection
laws that put fraud liability on the card issuer instead of the consumer. The
whole system is a relic from the days before the internet and the only way to
fix it is to replace it with something better like NFC.

~~~
webwright
I don't know. Seriously, I don't-- so I'll ask.

I've read that people will attach skimmers to gas station pumps/etc to get
card info, so I assume there's more to be skimmed than just credit card
numbers. So if you have 1 waiter with a Square-skimmer (or any other kind) and
another without, can the first one get any more fraud-ready data than the
second?

~~~
llimllib
> I assume there's more to be skimmed than just credit card numbers

As usual, Le Wik to the rescue:
[http://en.wikipedia.org/wiki/Magnetic_stripe_card#Financial_...](http://en.wikipedia.org/wiki/Magnetic_stripe_card#Financial_cards)

Looks like a skimmer will get you account number, name, expiration date, and
some verification numbers.

> So if you have 1 waiter with a Square-skimmer (or any other kind) and
> another without, can the first one get any more fraud-ready data than the
> second?

No, if you give your card to a malicious waiter he can skim all of its data.
_Because you gave it to him_.

------
pieter
It seems their problem with Square is that it allows you to get the credit
card number in plaintext if you use their hardware. Of course, this is nothing
new: you can buy a cardreader that acts as a USB keyboard for $20 and use that
to read a credit card and output it in TextMate. Square's hardware really has
nothing to do with it: if Squary would use something else, you'd still be able
to buy one of those reader thingies for $5 from DealExtreme or some other
site, and use the same procedure to skim a credit card.

One thing Square could do would be to, say, encrypt the credit card info with
a public key, then pass that data on to the app. The app could upload the data
to Square, where it could be decrypted and verified. Of course, this wouldn't
fit in a $2 reader, and there really isn't a point to do this as long as there
are other readers out there that allow you to read the data in plain text.

~~~
RickHull
> It seems their problem with Square is that it allows you to get the credit
> card number in plaintext if you use their hardware. Of course, this is
> nothing new: you can buy a cardreader that acts as a USB keyboard for $20

The point is that Square is marketed as a (presumably secure) payment device.
i.e. two strangers (merchant and customer) establish trust so that the
customer feels comfortable making a payment with the merchant's device.

In the case of a standalone card reader, you can skim your own cards all day,
but strangers aren't going to give you their card to skim without a fraudulent
premise.

Square's device provides a non-fraudulent premise, which is why the security
flaw is a problem.

~~~
pieter
I don't get it. What's the difference between using Square, swiping a
customer's credit card and storing the data, or using a POS system, swiping a
customer's CC and storing the data from that? A lot of those packages consist
of a windows/mac machine and a simple reader, you could write a kernel module
or similar to do just that. Is it that Square advertises as being secure?

~~~
RickHull
> What's the difference between using Square, swiping a customer's credit card
> and storing the data, or using a POS system, swiping a customer's CC and
> storing the data from that?

Nothing, really. Most POS systems are resistant to data extraction. Square's
is less so. My main point was that the USB card reader things are not POS
devices. (Or are they?)

~~~
pieter
Yes, they are, that's how most of those systems work.

------
mbreese
I take it that VeriFone has never heard of a magnetic card reader that plugs
into a keyboard port?

This is a very shaky "security hole", if you ask me. When you hand over your
card to someone, there is always a risk for them skimming the number. However,
they kind of have to know the number in order to get paid... so how is this a
security risk that is exclusive to Square again?

------
avree
This 'open letter' has a ring of dishonesty to it.

> Clearly, Square is a threat to VeriFone, so it’s intentions aren’t so pure
> when exposing this potential issue.

That much is obvious. The letter is geared towards 'protecting the consumer',
but makes the skimming method extremely public (especially with sq-skim.com)

I'm sure this will result in an increase in credit card theft incidents.

I'm also curious as to whether or not the perceived security threat is a bit
overblown—there are many opportunities for my credit card number to be stolen
(either when I use it online, or for physical transactions.) There's _always_
a risk, and as such, I generally don't go passing my credit card (or scanning
my credit card) to vendors I don't trust. I assume that since you'd need to be
physically present to give the card to be skimmed, you'd draw on other
internal factors of trust (and not have much of a higher potential for card
theft than at any other establishment.)

~~~
thenayr
No kidding.

>"In less than an hour, any reasonably skilled programmer can write an
application that will "skim" – or steal – a consumer's financial and personal
information right off the card utilizing an easily obtained Square card
reader."

Oh, but wait, we already DID IT FOR YOU.

VeriFone, protecting consumers by posting hacked apps to skim credit card
numbers.

~~~
paulgerhardt
Were you able to find actually find the app? It seems they (wisely) never
posted it.

>Don’t take our word for it. See for yourself at www.sq-skim.com where you can
download the sample skimming application and view a video of this type of
fraud in action.

Commenting on the YouTube video has also been disabled. I feel like there is
some sort of parable about glass houses here...

~~~
yrral
<http://www.mediafire.com/?zxtbagfkz7e64ja> Here is the zip of the IPA and
provision file.

~~~
sdrguy
Yrral,

Thank you!!

Is this for the iPhone or for the Android phone?

And do you know how it works?

------
joshu
First they ignore you, then they ridicule you, then they fight you, then you
win.

(I am a square investor.)

------
archgrove
I guess they didn't notice that all smart phones have this ability as
standard, and call it "Camera". One quick snap, and boom - I've stored your CC
number. No need for fancy hardware!

------
undrwd
This attack really struck me the wrong way. I'll never, ever be a verifone
customer.

Verifone really went about attacking it's competitor the wrong way.

In the video that demonstrates being able to read the card information with
their own iOS app they mention a criminal glass blower buying a TV with your
credit card after making a purchase with square.

A glass blower, really, ummmmm let me think when is the last time I made a
purchase from a glass blower? Is that a common interaction? I would have
thought they would have chosen a common transaction. Street vendor, food
stand, but no a glass blower. Very strange.

If you follow startups you'll remember that Jim McKelvey developer of the
square hardware in question is a . . . what does he do again . . . oh yeah a
software engineer and glass blower.

This appears to be a personal attack on Jim as well as on Square.

I hope verifone enjoys a good laugh on putting a glass blower in their video.
Hopefully verifone will be writing Mr. McKelvey a large check after the
lawyers are through with this one.

Very poor business practice whether or not

I don't see the download for their skimming app have they taken the app down?
Probably a good idea, I doubt the credit card companies will appreciate them
providing a skimming app regardless of what reading hardware it's using.

It appears their video has been removed from youtube.com for violating terms
of service.

~~~
nchaimov
> I don't see the download for their skimming app have they taken the app
> down? Probably a good idea, I doubt the credit card companies will
> appreciate them providing a skimming app regardless of what reading hardware
> it's using.

I imagine that part of the problem was that they were distributing an iPhone
app binary along with their in-house enterprise distribution provisioning
certificate to the public, which I imagine Apple isn't happy about.

------
Calamitous
In case you've heard of a "corporate hit job" but never knew what one looked
like; rest easy. It looks like this.

------
thinkcomp
I'm kind of surprised Square didn't include some kind of hardware encryption,
but then again, it would probably make the readers a lot more expensive to
manufacture.

One of the amazing things about plastic cards is that they were never designed
in the 1960s with security or the internet in mind. The card itself (with its
Primary Account Number) is an inherently insecure medium. PCI DSS tries to
make up for this by layering rule after rule on how you can treat PAN data,
but as most professionals in the space know, a system is only as secure as its
weakest link. There's really nothing PCI or any other standard can do. By
focusing on cards, Square has opened itself up to all of the problems
associated with them.

Starting from scratch is the best way, and pretty much the only way, to create
a secure payment network in today's environment.

~~~
radicaldreamer
Hopefully with the next gen of NFC devices, this is what we'll get.

------
phwd
Related [2007]
[http://www.cl.cam.ac.uk/research/security/banking/ped/verifo...](http://www.cl.cam.ac.uk/research/security/banking/ped/verifone-
response.pdf)

> We believe it is not in the best interest of the consumers, merchants and
> overall payment industry to publish the details of product designs
> describing potential attacks however remote those might be. Even if these
> attacks are difficult to be accomplished it gives the bad guys a leg up on
> research they would not have to do and encourages bad behavior.

in response to : PIN Entry Device (PED) vulnerabilities
<http://www.cl.cam.ac.uk/research/security/banking/ped/>

------
jedsmith
The comments on the story, and the first round here, make me worry that people
are missing the point. Particularly this one:

> VeriFone's point (albeit a stupid one) is that the path from the card reader
> itself to the iOS device is not secure, so it's a hardware "problem."

That point isn't stupid at all, and is actually a legitimate gripe. It is my
understanding that the Square device is only meant to be used with the Square
payment software. Is that wrong? If that's the case, it shouldn't be as easy
as VeriFone claims it is to skim a number from the device. I don't follow card
skimming, but I would think that the point VeriFone is trying to make here is
that Square is making it _easier_ for low-tech criminals to implement a
skimmer. While it is possible today, I've never heard it described as _easy_.

Another of the commenters mentioned that professional card skimmers have their
own devices. That's fine; that isn't the problem here. Professionals will
_always_ do things better than the entry-level criminals. However, from my
reading, it sounds like there is the capability here to write a shrink-wrapped
iOS app that talks to the free Square reader, and you have skimming for a
total investment of an iPod touch (or _lack_ of investment -- you _are_ a
criminal, after all). Which is the problem that VeriFone is bringing up, and I
halfway agree with given the limited evidence presented to me. We're _way_ too
lax with credit cards.

Does the Square app really need to know the card number at all, aside from
transmitting it upstream? What is the vector here? It seems like the Square
device should be a black box that yields only some kind of payment token, and
the app only gets the cardholder name (from their screenshots).

Square's own security page[1] makes this ambiguous, too:

> Card numbers, magnetic stripe data, or security codes are not stored on
> Square client devices.

I've never used Square, so I might be full of hot air. However, I think
instantly painting this as _not an issue_ simply because it came from a
competitor is doing a disservice to the potential (real) vulnerability here.
Read the information, not the source...

[1]: <https://squareup.com/security>

~~~
al3x
Are you serious?

The victim in this scenario is handing their credit card to the attacker.
That's game over. It doesn't matter whether the attacker has a Square, a
VeriFone device, or a piece of paper for writing down the card number. If you
hand your credit card to someone malicious, they can figure out how to do bad
things with it.

I'm a big fan of Square, but it's important to remember that their solution
doesn't remove the traditional risks of credit card usage. But then, there
isn't yet a widely-deployed, field-tested alternative, at least in the US. The
advent of NFC payments may put reasonable crypto in the POS flow, but I'm sure
it's matter of time before side-channel attacks are discovered in the
burgeoning NFC solutions.

Security is hard. But VeriFone isn't talking about security. They're using
security as an anti-competitive stalking horse, and that's a disgusting way to
do business.

~~~
jedsmith
> Are you serious?

Very, and I will dig my heels in on this. For the record, your point would
have been just as clear without this assertion that my point is stupid.

> The victim in this scenario is HANDING THEIR CREDIT CARD TO THE ATTACKER.
> That's game over. It doesn't matter whether the attacker has a Square, a
> VeriFone device, or a piece of paper for writing down the card number. If
> you hand your credit card to someone malicious, they can figure out how to
> do bad things with it.

So everybody should just stop doing security, since people will figure out
ways around it? Why bother? The Square device, as another commenter points out
elsewhere in this thread, sets the expectation of a legitimate transaction.
It's pushed, it's marketed, it's being set as the new brand of credit card
processing.

As such, Square have a responsibility to make sure that their products do not
make skimming easier. And guess what? VeriFone found a way to skim, easily,
with their product.

This whole "but you can do it on the black market for $20!" argument is,
pardon the Latin, fucking ridiculous. I seriously can't believe there are
people in this thread, who identify themselves as IT specialists, siding with
Square because credit card processing is a lost cause. Internet Explorer 6 is
pretty much a lost cause for Web exploits. Does that mean the rest of the
browsers should not protect against Web exploits? This argument makes
_absolutely no sense_. Who cares what others are doing? Do your product right.

> I'm a big fan of Square, but it's important to remember that their solution
> doesn't remove the traditional risks of credit card usage.

True. But there is NO REASON to make the vector EASIER. PERIOD. Simply because
there are real risks with the vector means that we should take strides to make
the vector _harder_.

~~~
tptacek
Jed, there are exactly two directions you can go from here, and I advise you
to pick one of them instead of standing in the crossroads hollering and waving
your arms.

On one road, you make the argument that it is fundamentally unsafe to accept
credit cards with commodity mobile computing devices, because there is no way
to do chain-of-custody control with insecure magstripe cards. There is a
reasonable case to be made here. I'll disagree with it, but you won't
automatically lose.

On the other road, you can provide one of more specific steps Square could
take to make their commodity mobile card reader device meaningfully more
secure. Be careful on this road because it is dangerous; people, myself
included, will be standing on the side of the road shooting at you. Remember,
anything you come up with must meaningfully improve the security of a device
that can only interact with insecure magstripes.

You can also walk your argument back, which is what I'd do if I were in your
shoes.

~~~
jedsmith
> You can also walk your argument back, which is what I'd do if I were in your
> shoes.

Good point. I'm just leaving my argument where it is, since I've poignantly
lost. The way you summarized it made something clear to me, though, so thank
you for your response.

I had a response typed up to the "we need to switch to $X" elsewhere in this
thread, then discarded it and went back to work after writing a much smaller
one. That's probably the best way forward from the whole mess, since it is
indeed true that magstripe technology is outdated and insecure. It's amazing
to me that with the prevalence of strong crypto we haven't come up with
something better that has been mass-adopted. Until Joe's Gas-n-Snacks in
Bimbleberry, Kansas accepts my new-fangled card, I won't consider the
replacement mass-adopted.

 _There's an interesting aside: Square hurts adoption of new-fangled payment
technologies because it caters only to magstripes._

However, I still disagree on mere principle with "it's already broken, so no
need to do it right for ourselves". That's a dangerous path to take in itself.

~~~
tedunangst
I think your perspective on what's broken is an issue.

It's one thing to say "everybody else is crappy, we can be crappy too." I
agree, that's bad. Doing better can be a great differentiator.

It's another thing to realize "the input we receive is broken, our output will
be too". Garbage in, garbage out.

Square, having decided they are going to be in the business of reading
magnetic stripes, cannot make those magnetic stripes any more secure than they
already are (not). They could maybe do better/right by being in a different
business, but they can't do the business they are in any better.

------
ig1
It comes down to what Square are trying to do, if they want to be "another
credit card reader device" then this isn't a security hole.

On the other hand if they want to take the PayPal approach and build a secure
payment brand which says "we're a securer way to pay because the end merchant
never sees your credit card details", then it is a security hole, because it
means you can't trust the Square brand to act as a layer between you and the
merchant.

------
dclaysmith
So is their a security flaw in the combination of the Square reader (hardware)
and Square app (software)? That would be a problem and VeriFone wouldn't be in
the wrong pointing it out.

Or is VeriFone just saying that hardware Square manufactures can be used for
skimming? If that's the case, the email is pretty ridiculous. Skimming
technology is nothing new and like others have said, readily available.

------
adolph
Can I download VeriFone's pseudo-Square app from the App Store? I don't see an
iTunes link on their website.

------
drivebyacct2
The comments are spot on on the TC article. Does TC really not think about
these things before publishing? If you give me your credit card, I can steal
your CC info regardless of whether or not I use a card reader, a camera or a
pen/paper. This is just sad.

------
pitdesi
There are two dangers here:

1\. This actually does lead to a breach of card numbers, in which case Square
will face penalties from Visa/MC/Amex - those penalties can be huge because
they are calculated based upon the number of cards that were compromised
(check out Heartland's breach last year).

2\. Verifone is able to convince Visa/MC/Amex that Square is not PCI compliant
and that they should fine Square out of existence (it's not a legal thing,
it's at Visa/MC's discretion).

#1 is somewhat likely, on Android moreso than Iphone, there have been android
viruses before.

#2 isn't that likely, unless there is actually a breach and it ends up costing
Visa and Mastercard money, Square is strategic to Visa and Mastercard because
it gives them access to an entirely new customer base (that Verifone hasn't
had any luck with).

1\. Customers don't give a shit. We hand our cards over into insecure
situations all the time without thinking twice.

2\. Businesses don't care either - they only care about PCI and security when
either their acquirer (in this case Square, which won't do it) or Visa/MC
start fining them or threaten to shut them down.

