VeriFone has been making headlines recently with its NFC plans and potential Groupon button, but it seems the payments expert is also hoping to solidify its place in the market by sinking its upstart competitors. The company has kicked off new campaign claiming mobile payments service Square suffers “a serious security flaw”: because the Square credit card reader, which plugs into the headphone socket of your iPhone or iPad, doesn’t encrypt the data from the card, a malicious third-party could write an unofficial app that illegally collects your details.
Video demo after the cut
“A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.” VeriFone
VeriFone has released one such sample app – which the company claims took less than an hour to script up – so that users can try it themselves. Meanwhile they’ve also sent a copy to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), along with the suggestion that systems like Square “will seriously jeopardize the integrity and security of the payment infrastructure and financial systems.”
Now, Square hasn’t ever claimed that the readers they supply free of charge are anything other than simple ways to convert magnetic stripe information to audio signals that the official app can understand. Frankly, if you hand your card over to someone with malicious intent – whether they’re using Square, cloning your card with any number of different gadgets, or just copying down the numbers on the front – then you’re likely to encounter fraud at some point down the line.
The fact that the Square reader is, in effect, a quicker shortcut than punching in those numbers doesn’t seem to have registered with VeriFone. Square is yet to comment, but we can’t imagine we’ll have heard the end of this, especially with VeriFone getting the industry heavyweights involved and making public just the sort of app that they’re warning could be developed.