VeriFone CEO slams mobile payments startup over security concerns [video]

By on Mar 9, 2011 at 4:35 PM
Security March 9, 2011

VeriFone’s CEO, Douglas G. Bergeron, has taken to the Internet to publicly voice his company’s concern with a mobile payments startup named Square. Via a YouTube video and an open letter, Bergeron explains that Square’s reader has a “serious security flaw” that “places consumers in dire risk.” Bergeron and VeriFone’s beef stems from the fact that Square’s reader does not utilize any type of hardware encryption schema when scanning cards. What does this mean? If you were to use a VeriFone card scanner, the information scanned off of a credit card’s magnetic stripe would be encrypted, stored, and transmitted to the desired payment agency for processing. Square’s scanners attach to the 3.5mm audio jack of an iPhone, iPad, or iPod touch, and scan/store the read credit card information in plain text — making it later viewable by a person(s) running a skimming scam.

“A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone,” writes Bergeron. “Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card.”

The information on a credit card’s magnetic stripe isn’t really all that top-secret — since it is also printed on the front of the card, unencrypted — but the CEO’s point about plain-text card-data being stored on a mobile device is certainly valid.

“We take security very seriously,” continues Bergeron. “Securing payment transactions is what we do.”

The company has made a proof-of-concept iOS skimming application for Square’s reader that, along with Bergeron’s open letter, is available via the website sq-skim.com. The YouTube video and custom website, created solely to attack the small startup, does seem a little unorthodox — especially from a multi-billion dollar, publicly traded company — but it certainly has gotten people talking about the perceived issue. Square did not respond to BGR’s request for comment on Bergeron’s statments.

Hit the jump to watch VeriFone’s CEO slam the competition.

Read

Tags:
, , , , , , , ,
34 Comments

Related Articles

  • http://twitter.com/dragonnetworks DC

    Heh. No more secure than Verifone PCCharge and the officially compatible keyboard wedges that output track1/track2 data unencrypted in plaintext.

    • Anonymous

      Will the verifone hardware work with non-verifone software?

  • Kapil

    In other words, they’re salty because someone out-innovated them in their own field? Also known as the RIAA/MPAA business model….crap all over innovation.

    • sirpaul

      I think they have a point. I wouldn’t want anyone to have even the info on the front of my card.

      • http://twitter.com/NICKVALENTIN0 Nick Valentino

        You go to a restaurant, pay with your credit card, the waiter takes it to the back and writes the info with pencil and paper. WHAT IS THE DIFFERENCE?!

        I mean, do some of you people THINK before you write??

      • sirpaul

        Nobody would take a card ‘to the back’, lol…everything is done on the spot. I think you’d notice if someone was writing your info down. I do think before I write – do you?

      • Anonymous

        @Sirepaul That has happened before and the stories I’ve heard in the news they usually have a card reader/writer and they basically copy the card and can make a duplicate. They are so good at it you can’t even tell they did anything even though you could see them the entire time.

      • sirpaul

        First off, you’re right…ignore my first comment to you.

        And now that I think of it…why waste time with pencil and paper, or even a Square thing. Just take a picture! :) )

      • superator

        As a server I can assure you that I do take the cards to the back, that’s where the POS is. Very few restaurants, none that I know of, have the capability to have a portable POS. So yes, while I’m in the back if I wanted to, I could steal your information, and actually I’ve had it happened; It was a server I worked with, I knew her and she stole my credit card information when I ate at the restaurant she worked at. That’s what happens when you come across people with drug addictions I guess.

      • sirpaul

        Then I apologize for my ignorance :) All the restaurants I go to here in Kitchener have portable POS and they scan the card in front of you. Thanks for letting me know!

    • Steve Hillshire

      It is clear via PCI DSS that all card holder data at rest is encrypted in order to obtain Visa compliance. Plain, simple and widely known by anyone in the field. To store CC numbers in plain text is not only insecure, its downright stupid and should be avoided at all costs.

    • http://www.facebook.com/masonicninja Michael Scott Allen

      I completely agree with you. The big corporations are getting slow in their innovations and quick to resort to litigation when someone comes up with a better idea. When did America become a bunch of bitches?

  • Paul

    Youtube pulled the video

  • Anonymous

    So basically someone came up with a neat idea and since Verifone can’t make money off of it, they try and make sure no one else uses it.

    I’m not going to give my card to just anyone and let them swipe it, be it a guy with a phone or someone with Verifone’s setup.

    • Anonymous

      As a note, the video is showing it was removed for violating Youtube’s ToS.

  • sirpaul

    “This video was removed because its content violated YouTube’s Tems of Service.”

    I bet Square got all their employees to mass-report the video, lol.

    BTW Andrew, you spelled “Square” wrong :)

  • sirpaul

    EDIT: double post. Disqus was being retarded again.

  • http://twitter.com/cromag_rickmanu Dan Rickman

    This is a valid concern, but only for stupid people that swipe their credit card without thinking. If you know the person/and or trust the business it’s still safe. People just have to do a little homework before spending their money the mobile way.

  • Tn7871

    Big shark attacking a little fish. They must be worried about losing money.

  • Anonymous

    This is idiotic. This “attack” doesn’t demonstrate anything at all that can’t be gleaned just by looking at the card.

    “OH MY GOD! Square’s device can read a credit card number that is passed through it physically and an application can store that information!!!!!”

    You know what else can be used to store credit card information when you are holding it in your hand and capable of reading the number and CVV code? Pencil and paper. Are pencils a major security risk? Is paper?

    This is FUD. It’s sad that so many people are falling for it. I should say that I expect better from BGR, but I really don’t.

    • Anonymous

      It’s all over the tech sites. Their job is to report tech news, and not be biased. Had they not done a post on this issue I’d have wondered why they didn’t. The tone from commenters on TechCrunch, Engadget, BGR is that everyone knows how stupid it is for Verifone to do this. They are obviously doing this because they are threatened by Square. I personally have used Square since beta and have only had one person ask if it was secure. People should just be smart in general and it is a non-issue.

    • Anonymous

      Or the camera in the smartphone.

    • Anonymous

      Cmon. This hack, which is incredibly easy to accomplish, essentially turns your iPhone into an extremely effective credit card skimmer. Takes much less time than taking a picture, or writing down the details on the card.

      Square needs to fix their hardware so it will only work with Square’s application.

      • Anonymous

        Are you a Verifone employee? Come on. Be serious.

  • iphonesucks

    Apple has security issues? Is this really news?

    • joshie

      It’s not Apple. Did you read the post or just look at the picture of the iPhone? No, don’t answer..I’m pretty sure I can guess.

  • Anonymous

    FUD. Verifone is scared sh*tless. Reminds me of Nokia making fun of the iPhone before it even hit the shelves. If it wasnt scared of Square, it wouldn’t have gone to such lengths to spread this FUD.

  • joe

    The issue is the fast food jocky that takes credit cards at the drive through – if they spend the time to write down CC info you would know – but you wouldnt notice them swiping it through a second device. Not that this is any different than a waiter taking your card but the info on the front of a card can be sold for a few dollars to someone whose willing to attempt to rack up charges online. You arent at fault but you are out the time to get it fixed when it happens. I’m sure square will just work on getting encryption envolved.

  • Anonymous

    I’ve been in banking for 22 years. The magnetic strip has the same information on it that anyone with a set of eyeballs can view on the card itself, namely, your name, the card number the expiration and the 3 digit code on the back.

  • Steve Hillshire

    It amazes me how many people think this is about big company vs little company. Anyone dealing with Visa for example, is required to encrypt card data when it is at rest. This is a blatant violation of that policy and is downright careless programming.

    • Anonymous

      When I swipe a card with a veriphone PC setup, all the information pops up on my screen in plain text, and if I want to I can print screen for later use. This includes the CVV value.

      Squares app DOES encrypt the data when it processes the payment. All this is is someone hacking the device itself to work with another app, which you can do with ANY credit card setup.

  • RudyH

    haha wow is America this far behind in banking security, that this is news?

    Having worked for a Canadian bank for 5 years in their IS department looking after everything including fraud technologies, and now working for a mobile device company that prizes themselves on security, it’s no wonder I own a Blackberry to stay ahead of the curve.

  • http://www.facebook.com/masonicninja Michael Scott Allen

    Of course they have a problem with it. They don’t get a percentage of the transaction this way.
    Credit card fraud has been around as long as there have been credit cards. There are so many different security issues that a reader is the least of your concerns. Granted, it’s a less secure system than what VeriFone uses, but that doesn’t detract from the fact that people have been getting their information stolen and abused long before this reader came along.
    I am still recovering from an identify theft eight years ago. The truly insecure portion of this equation is the card and the magnetic strip itself. Not the manner in which it is read.

  • Mabcymraeg

    I think they mean a “flaw” that veriphone themselves created. odd how the exact software they are saying is so dangerous at the competition is the the software they created to break through the reader. I had my cc scanned right through my wallet IN MY POCKET by some thief. it was caught and they were too… It’s about individual vigilence and knowing who has access to your card. if the square is used right, the cc owner is standing right there, and has to sign to authorize the transaction. I think Veriphone is far more concerned about the flaw in THEIR company that is now shown as gouging people for fees. Fees for a transaction, fees for a swipe, fees for “monthly access” all of which Square is making moot. That scares the crap out of them

blog comments powered by Disqus