- Take an existing known medium (in this case email) and makes it way more useful.
- They didn't try to build a bunch of new UI for connecting your Facebook so you can find and invite and pay your friends, paying out to your card, etc.
- It magically hides the messiness of an enormously complex problem (fraud, different types of debit cards & banks all over the world) behind a very simple interface.
- Unlike every other P2P payment system, I can actually sign up and receive money (or convince my friend to) using only what's in my pocket (debit card)... not hunting down ACH/wire details.
That was my first impression. I could rip the site, post it to my own domain, and start sending out emails saying "you've got cash, give me your credit card number so we can credit it" in about 10 minutes. Great concept, and I plan to use the service, but as it gains momentum and acceptance, it's going to be a great attack vector for the Nigerians.
No, they just got an email from someone that happened to have my address in the `From` field.
Since we're in the realm of phishing already, let's not forget that people still commonly enter their email address and email password into sites claiming to "Find your friends who are using this service".
The problem with social attacks is that they spread socially, and it's not enough for just "some", or even "most" people to be educated for it to be stopped.
I don't think Square are ignorant about this, but I'd like to see some confirmation that some measures are in place to counter threats like these.
What also doesn't help is that sites like Facebook leak personal information like sieves. I've been receiving the spam e-mails claiming to be from various of my Facebook friends for some time.
In the happy case, yes. But, that doesn't consider how phishing works.
So, Square trains people that these e-mails are OK. In the happy case, you get the email from a friend, followed by a link/invitation from Square. Everything is fine.
After doing this several times, one day you just get the email that appears to be from Square, informing you that you have money. This is a phishing email and there is no email from a friend, which should raise a red flag, but for many it won't. Or they may just think Square changed the process. Putting the onus on the user to discern this is not a good plan.
Training users to click a link from an email that resulted from a process they didn't initiate, then enter personal/financial information or credentials is not a good idea.
So is PayPal and just about every other financial institution. Square has some nice safeguards in place here and considering they are going to be the ones paying for fraud abuse, you can be sure they'll be doing everything possible to prevent it.
- Take an existing known medium (in this case email) and makes it way more useful.
- They didn't try to build a bunch of new UI for connecting your Facebook so you can find and invite and pay your friends, paying out to your card, etc.
- It magically hides the messiness of an enormously complex problem (fraud, different types of debit cards & banks all over the world) behind a very simple interface.
- Unlike every other P2P payment system, I can actually sign up and receive money (or convince my friend to) using only what's in my pocket (debit card)... not hunting down ACH/wire details.