Jasa Web Design

VeriFone, and its open letter against Square

I’m writing this in response to VeriFone’s “open letter” regarding the security, or lack thereof, of the Square credit card reader device, as I hate seeing a good-natured startup get bashed by a competitor worried that it may catch up or even overtake its business. The whole thing has been commented on TechCrunch and GigaOM already, and it’s making rounds in Twitter. First, an analysis of the VeriFone statement.

An open letter?

Today is a wake-up call to consumers and the payments industry.

No, the wake-up call came when the first carders started hitting the credit card industry years ago.

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader.

Why would anyone waste the time to do so? There are ‘skimmers’ designed exclusively for the task of stealing credit card data, and what’s even more curious, they’re available right on eBay (more on this later).

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

A criminal doesn’t need to sign up for anything, he can just buy a purpose-built skimmer, and start “working”. Skimmers are used, for example, by bartenders, in parallel to the legitimate POS tool that processes the payment. It takes a second to swipe the card through the skimmer, so any time the card is away from the owner’s sight, makes it ripe for stealing. It is logically stupid to have skimming device and legitimate payment processing device in the same device. Let me write that bigger, as it is an important point.

It is universally stupid to place skimming and legitimate readers into the same device.

As an example, one would think – why haven’t bank-issued POS devices been hacked to skim cards while performing their legitimate duty? Same would go for the Square solution – the reasons:

  1. The corrupt employee needs to dump the skimmed card data. He needs to take the device away with him, or connect it to a PC for download. It looks mighty suspicious to connect your restaurant’s POS terminal, or the iPhone given by your employer, to a PC, never mind walking away with it every night.
  2. Legitimate devices come with tamper-evident seals, upon inspection by the bank or a maintenance agency the game will be up.
  3. Criminals need to duplicate the legitimate functionality, which means connecting to the payment gateway. This requires testing to verify functionality, which generates noise – and attention – during development.
  4. In many cases, to duplicate the legitimate functionality, the criminal would need to extract signing and/or encryption keys that verify authenticity against the payment gateway. This is a PCI requirement in every implementation I have seen, and would mean the keys themselves have been compromised.
  5. If the skimmer is the owner of the business, which moots some of the above points, he is so dumb he deserves to be caught. And he will.

[Update] Some say that skimmers have been found inside POS devices, true – but this is different from modifying their logic, one can add a card reader in parallel, which is then removed via an access door and taken away, or add cables that take the card data to a secondary remote device.

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

Repetition – also, the note about being poorly constructed is a highly objective observation. It is cheap and no-frills, but this doesn’t mean it is poorly constructed too.

And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card.

This is false – just like a restaurant cannot masquerade as a fake restaurant, complete with plastic food, just to skim cards. Nobody in their right minds will give the card to a stranger, unless it is involved in an actual payment. An actual payment requires at least some level of background checks on those receiving the payment. Matching skimmed cards to a source is extremely easy once a pattern of payments vs. skims is established. Many skimming employees get caught this way, and they are using other devices to skim – the rate would go up if they used the method proposed by VeriFone!

Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.

Unless they take the same precautions as they do when they hand over their plastic at any other location.

Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), and we invite their comments.

Square has most likely already gone through PCI audits and checks to become a payment gateway. This includes a full description of their operation, which is no different than many POS terminals using COTS readers that dump card data over RS232 or USB links. I have personally implemented such a system, and it was accepted under PCI rules and put into service. The security isn’t between the reader and the application, but between the application and the rest of the system. If the application itself is corrupt, it is very easily caught and dealt with.

Secure payment systems, like those provided by VeriFone and other credible providers which adhere to the highest level of security practices, are critical in protecting consumers, merchants and banks.

Ah! Finally, the real motive of the “open letter” – none other than to remark that VeriFone is a competitor and provides secure payment systems. And that it is scared about competitors like Square.

There is great promise in the future of mobile payments and our innovations will help drive the industry forward.

Even more self-promotion, not in the spirit of an open letter. An open letter is open precisely to promote commentary and criticism, not to sell one’s own products or ideas.

Security by FUD

The “open letter” also has an elaborate video attached, with careful editing and effects, something that has taken time and effort. It looks like one of those ads thrown by politicians when they get into mud-slinging matches before elections, while not bringing anything new to what is said in the letter. [Update] The video has been removed by YouTube due to TOS violations. VeriFone has re-uploaded it to Brightcove – showing further intent on causing damage to a competitor, rather than making the industry more secure.

In addition, VeriFone has gone through the trouble of registering a custom domain name, sq-skim.com, which was registered through GoDaddy, and even further, uses GoDaddy’s Domains By Proxy privacy service to cloak who is behind the domain. VeriFone should note that should a slander lawsuit be brought up, these privacy services are worth nothing, as the original records can be requested by the court. It looks really bad to register a domain name, which in part contains your competitor’s abbreviated name (“sq” for Squared), and joins it with a word full of criminal intent such as “skim”. It would appear that Square is selling skimming devices, and not a payment solution that competes with VeriFone’s.

Finally, the letter lists “resources”, which are nothing but a bunch of links to marketing papers, articles negative towards Square, and “news” regarding skimming. The final touch is a “Be Secure Now” box with a big blue button that reads “Sign up for PAYware Mobile”. All this makes the whole thing stink even more of a mud-slinging in an attempt to kill a competitor.

Wait, skimmers for sale on eBay?

Yep. There are skimmers for sale on eBay. Search for “card skimmer” and you’re presented (albeit with no direct results) with related searches such as “bank skimmer” or “credit card skimmer” (click for large version):

Search instead for “portable card reader”, and you’re presented with a wide selection of small, battery powered magnetic stripe readers, such as this one (click for large version):

It’s an irony that eBay provides buyer protection against an item designed to scam buyers at physical retail locations.

The listing is even so helpful as to show a picture of an actual Bank of China credit card being swiped through the reader, showing its really small size!

Major selling points and features are listed, but some are particularly striking for something that would pretend to have a legitimate use:

512 K bytes memory for storing more than 2,000 records of data

OK, so we can fit 2000 credit cards into this tiny thing. Useful.

3-track version can collect all three tracks data…

Meaning all the information needed to make a physical clone of a credit card, including the CVV1.

Password Protection defends user

… from law-enforcement officers trying to see what the waiter or gas station attendant had dumped onto the device, surely. Useful to deny criminal use of the thing. A self-destruct or auto-wipe button would be even better.

Transfer data to MSR206, MSR605 and MSR606 directly

This is a real kicker – transfer the skimmed credit card data directly to the magnetic stripe encoder models of choice in the carder “industry”! This means you don’t even need a computer to make physical copies of stolen credit cards, just connect the two devices and go!

Bi – Directional

So it’s eyes-free, battery powered, no need to pay attention while you swipe the customer’s card under the counter while he’s not looking.

My question to VeriFone – why don’t you write an open letter to eBay about the blatant trading of what are evidently skimming devices? None of the above ‘features’ can be found on Square’s device. Maybe register ebay-skim.com in the process. I just checked on GoDaddy, and it can be yours for just $11.99:

 

10 Responses to “VeriFone, and its open letter against Square”

  1. me March 10, 2011 at 00:16 #

    I work in a place that has a loose connection to VeriFon’s services. I will no longer be recommending them. Scumbags.

  2. Levy March 10, 2011 at 00:35 #

    Thanks Mike for a great post. I am a Square customer/small business owner, so to see Verifone pull this stunt reminds of how this type of “business” is becoming so common. The politicians use it to good use so companies decide hey, sling some crap in the name of something good and it will go. It amazes me that no one at Verifone thought this out. Their stunt is not going away and they are looking like idiots for it. Intelligent people can see through their “open letter” for what it is and I only hope Square at least files suit for defamation or libel. Thanks again.

  3. shaun March 11, 2011 at 05:42 #

    Hi

    It’s been pointed out many times that the data available for skimming is already easily accessible.
    So lets move past that obvious point and look a little further..

    The precedent being set it is swiping cards in “any thing that looks like a EFTPOS device”. That is the real problem.
    How does anyone know when they’re using a legit device?
    How does one spot an illegitimate device?

    A legit EFT device will prompt you to enter your pin number for the transaction, if you choose that method of payment. Um.. uh oh!

    So; someone writes an app that looks like any of these handheld devices.. it doesn’t even have to look like Square’s UI at all – it can be totally custom. It doesn’t need to talk to any services. It doesn’t need to worry about transactions or anything like that, it just says “Transaction Approved” after the user enters their pin number.

    There is no “trail” left by the bad guys, no registration of a business.. nothing..

    Now the scammer has the card details and the user’s pin number – please explain how this is not a problem.

    • Mike March 11, 2011 at 15:31 #

      shaun,

      You don’t seem to understand the difference between magstripe and chip&PIN as it is commonly known. If a customer has his card swiped, the store must get a physical signature, this is done through the iPhone UI in Square’s case – there is no requirement for the user to enter his PIN, in fact, many users will become suspicious as it is one of the things banks have been hammering about for the last couple of years (“don’t give your PIN to anyone”, “only type your PIN if your card’s chip is being used”).

      In the event that a criminal were to clone or create a brand new payment app that looked legit, and let’s assume they don’t provide the real payment functionality, but as you say, only simulate it, what happens when the user asks for a receipt to be sent to his email address, as the Square functionality supports? Any excuse is going to look extremely weird. At this very moment, a user has the criminal right before him (there is no way to conceal something like this from an unknowing employee), holding the very device used to skim his card – way too much heat.

      Read this document, and understand that security is an integral process:

      https://www.pcisecuritystandards.org/documents/skimming_prevention_form.pdf

      Does a shop take orders over the phone? Do they get card details over the phone (card-not-present transactions)? Are they sure their phone lines have not been bugged? This has happened MANY times.

  4. Trygve May 29, 2011 at 16:58 #

    Not to slight Square, or anything, but…

    If anyone asked me to let them drag my card through a reader mounted on an iPad, iPhone or similar device, no matter how well-made it looks, I would refuse, and take my business elsewhere.

    Doesn’t support Chip/PIN?
    Count me out…
    (I have two cards. On my debit-card I have physically removed part of the magnetic stripe. Skim that! )

    A bit of silly business…
    A gentleman from eastern europe was stopped in the customs when coming to Norway some time ago. He had an entire ATM FRONT with him. Yes, he was arrested… And no, they couldn’t keep him behind the bars. It seems that while skimming is illegal, owning equipment that MIGHT be used for the purpose isn’t…
    (There isn’t any other use for a fake ATM… Really there isn’t. )

    There have been break-ins at stores, where one of the items stolen was the card-reader. That same readr has later been found placed in another store(usually at the same chain as they’re likely to have the same model present)…
    Compeltely intact, of course, if you ignore the skimmer-kit with radio-transmitter that has been added.

    For that reason, many stores now have the readers securely bolted to the counter, or tied down with a solid wire.

    Good rules seems to be:
    1. Never let anyone else ‘operate’ the card. Never let them swipe it for you, never leave it in the bar or any of that crap.
    2. Chip and PIN or no deal.
    3. It’s OK to grab and pull on parts of an ATM. If it comes loose it either didn’t belong there, or it was a manufacturing defect…
    4. If your bank offers ‘area blocking’ for your cards, activate it. My cards can only be used in Norway(for direct payments in stores, in ATMs and such.). Any direct use anywhare else will be blocked and I get a warning on the phone. If I travel somewhere it only takes a minute to log in to my bank’s website and activate the card for other areas.
    If your bank doesn’t offer this service, pick another bank that does.

    And if your bank doesn’t use a RSA-key or other ‘random number’ code system, stay very clear of them. They probably use WWII veterans as guards, too. ‘Our security forces have a lifetime of experience’ doesn’t matter that much if they have lived an entire lifetime… or two…

  5. peter conrad September 14, 2011 at 05:12 #

    why am i not surprised that verifone would try and bash square like this. for the last two years we have been using a verifone ( which we purchased new last year to replace another one we had that crapped out when we needed it most during a large selling event) We tried to use the new one again this year for the same event and it crapped out too, saying that there was an illegal intrusion which according to the service provider Heartland has destroyed the new verifone device rendering it useless. And guess what…unfortunately they say that the machine was 3 days out of warranty… can you believe that? Heartland had no wireless remote machines to loan us…so we turned to square and it has been working like a charm…..sooooooooo much cheaper and no monthly fee like with Heartland and verifone. In my opinion they are going to continue to rip people off until the very end….getting every possible dollar out of people who are not aware of alternatives….in my opinion Heartland and verifone are in cohoots and are crooks in my eyes. we are cancelling service immediately.

Trackbacks/Pingbacks:

  1. Square’s Dorsey: Verifone Security Claims Not Accurate: Tech News and Analysis « - March 10, 2011

    […] Puchol, a wireless expert and GigaOM commenter had a good run down of the situation. He said skimmers have been available before Square and that criminals are unlikely to use a […]

  2. Verifone calls out Square | thinkd2c - March 10, 2011

    […] a detailed review of the situation check out Mike Puchol’s post. GA_googleAddAttr("AdOpt", "1"); GA_googleAddAttr("Origin", "other"); […]

  3. Square responds to VeriFone - March 11, 2011

    […] of the best and most interesting abstracts deconstructing the Open Letter is over at Mike Puchol.com, which is well worth checking […]

  4. 4 Overlooked Nuances of Social Media Culture - March 29, 2011

    […] questionable within Twitter and by popular bloggers, who viewed the letter as a attempt to protect an established business by stamping out an innovative […]

Leave a Reply:

Gravatar Image