VeriFone, Square at odds over refuted security flaw
Square, founded in 2009, offers a free payment card reader that can be plugged into the headphone jack of iPhone, iPad and Android devices and be used to accept credit cards anywhere.
In an open letter to industry and consumers on Wednesday, Douglas Bergeron, CEO of rival payment processor VeriFone, said that mobile card readers distributed by Square do not encrypt cardholder data. As a result, ahe said, an attacker could create a mobile application that steals information off a card as it is swiped through the reader.
In a YouTube video, Bergeron demonstrated how Square's card reader could be used to facilitate credit card fraud. VeriFone has called on Square to recall its card readers from the market.
“If the industry allows Square and other similar attempts to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure and financial systems developed over the last three decades,” Bergeron wrote.
The same day, Square's CEO Jack Dorsey, who also created Twitter, refuted claims that his company's card reader is insecure.
“This is not a fair or accurate claim, and it overlooks all of the protections already built into your credit card,” Dorsey wrote in a letter posted on Square's website. “Any technology – an encrypted card reader, phone camera, or plain old pen and paper – can be used to ‘skim' or copy numbers from a credit card. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.”
VeriFone on Wednesday said it has alerted Visa, MasterCard, Discover, American Express and Square's credit card processor, JP Morgan Chase, about the threat. In its statement, Square said JP Morgan Chase “continually reviews, verifies and stands behind every aspect of our service, including our Square card reader.”
Meanwhile, dozens of other companies sell card readers that do not use encryption, Alex Stamos, founder of security consultancy iSEC Partners, told SCMagazineUS.com in an email Wednesday. Plus, he said, VeriFone's claims are “hypocritical” because the company makes several products that run on PCs and allow for credit card payments using unencrypted card readers.
Credit card thieves are already masters at skimming and go to great lengths to modify point-of-sale terminals and ATM machines to carry out fraud, he added. Encrypting cardholder data as it is swiped through a card reader will not curb fraud.
“The real problem is that the magstripe credit card standard is horribly outdated,” Stamos said. “Until the United States moves to a secure, contactless, or preferably a real smartcard solution, fraud will be a continual problem that has nothing to do with Square's product. For VerFone to claim otherwise is both irresponsible and counterproductive.”