I’m writing this in response to VeriFone’s “open letter” regarding the security, or lack thereof, of the Square credit card reader device, as I hate seeing a good-natured startup get bashed by a competitor worried that it may catch up or even overtake its business. The whole thing has been commented on TechCrunch and GigaOM already, and it’s making rounds in Twitter. First, an analysis of the VeriFone statement.
An open letter?
Today is a wake-up call to consumers and the payments industry.
No, the wake-up call came when the first carders started hitting the credit card industry years ago.
In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader.
Why would anyone waste the time to do so? There are ‘skimmers’ designed exclusively for the task of stealing credit card data, and what’s even more curious, they’re available right on eBay (more on this later).
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
A criminal doesn’t need to sign up for anything, he can just buy a purpose-built skimmer, and start “working”. Skimmers are used, for example, by bartenders, in parallel to the legitimate POS tool that processes the payment. It takes a second to swipe the card through the skimmer, so any time the card is away from the owner’s sight, makes it ripe for stealing. It is logically stupid to have skimming device and legitimate payment processing device in the same device. Let me write that bigger, as it is an important point.
It is universally stupid to place skimming and legitimate readers into the same device.
As an example, one would think – why haven’t bank-issued POS devices been hacked to skim cards while performing their legitimate duty? Same would go for the Square solution – the reasons:
- The corrupt employee needs to dump the skimmed card data. He needs to take the device away with him, or connect it to a PC for download. It looks mighty suspicious to connect your restaurant’s POS terminal, or the iPhone given by your employer, to a PC, never mind walking away with it every night.
- Legitimate devices come with tamper-evident seals, upon inspection by the bank or a maintenance agency the game will be up.
- Criminals need to duplicate the legitimate functionality, which means connecting to the payment gateway. This requires testing to verify functionality, which generates noise – and attention – during development.
- In many cases, to duplicate the legitimate functionality, the criminal would need to extract signing and/or encryption keys that verify authenticity against the payment gateway. This is a PCI requirement in every implementation I have seen, and would mean the keys themselves have been compromised.
- If the skimmer is the owner of the business, which moots some of the above points, he is so dumb he deserves to be caught. And he will.
[Update] Some say that skimmers have been found inside POS devices, true – but this is different from modifying their logic, one can add a card reader in parallel, which is then removed via an access door and taken away, or add cables that take the card data to a secondary remote device.
The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
Repetition – also, the note about being poorly constructed is a highly objective observation. It is cheap and no-frills, but this doesn’t mean it is poorly constructed too.
And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card.
This is false – just like a restaurant cannot masquerade as a fake restaurant, complete with plastic food, just to skim cards. Nobody in their right minds will give the card to a stranger, unless it is involved in an actual payment. An actual payment requires at least some level of background checks on those receiving the payment. Matching skimmed cards to a source is extremely easy once a pattern of payments vs. skims is established. Many skimming employees get caught this way, and they are using other devices to skim – the rate would go up if they used the method proposed by VeriFone!
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
Unless they take the same precautions as they do when they hand over their plastic at any other location.
Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), and we invite their comments.
Square has most likely already gone through PCI audits and checks to become a payment gateway. This includes a full description of their operation, which is no different than many POS terminals using COTS readers that dump card data over RS232 or USB links. I have personally implemented such a system, and it was accepted under PCI rules and put into service. The security isn’t between the reader and the application, but between the application and the rest of the system. If the application itself is corrupt, it is very easily caught and dealt with.
Secure payment systems, like those provided by VeriFone and other credible providers which adhere to the highest level of security practices, are critical in protecting consumers, merchants and banks.
Ah! Finally, the real motive of the “open letter” – none other than to remark that VeriFone is a competitor and provides secure payment systems. And that it is scared about competitors like Square.
There is great promise in the future of mobile payments and our innovations will help drive the industry forward.
Even more self-promotion, not in the spirit of an open letter. An open letter is open precisely to promote commentary and criticism, not to sell one’s own products or ideas.
Security by FUD
The “open letter” also has an elaborate video attached, with careful editing and effects, something that has taken time and effort. It looks like one of those ads thrown by politicians when they get into mud-slinging matches before elections, while not bringing anything new to what is said in the letter. [Update] The video has been removed by YouTube due to TOS violations. VeriFone has re-uploaded it to Brightcove – showing further intent on causing damage to a competitor, rather than making the industry more secure.
In addition, VeriFone has gone through the trouble of registering a custom domain name, sq-skim.com, which was registered through GoDaddy, and even further, uses GoDaddy’s Domains By Proxy privacy service to cloak who is behind the domain. VeriFone should note that should a slander lawsuit be brought up, these privacy services are worth nothing, as the original records can be requested by the court. It looks really bad to register a domain name, which in part contains your competitor’s abbreviated name (“sq” for Squared), and joins it with a word full of criminal intent such as “skim”. It would appear that Square is selling skimming devices, and not a payment solution that competes with VeriFone’s.
Finally, the letter lists “resources”, which are nothing but a bunch of links to marketing papers, articles negative towards Square, and “news” regarding skimming. The final touch is a “Be Secure Now” box with a big blue button that reads “Sign up for PAYware Mobile”. All this makes the whole thing stink even more of a mud-slinging in an attempt to kill a competitor.
Wait, skimmers for sale on eBay?
Yep. There are skimmers for sale on eBay. Search for “card skimmer” and you’re presented (albeit with no direct results) with related searches such as “bank skimmer” or “credit card skimmer” (click for large version):
Search instead for “portable card reader”, and you’re presented with a wide selection of small, battery powered magnetic stripe readers, such as this one (click for large version):
It’s an irony that eBay provides buyer protection against an item designed to scam buyers at physical retail locations.
The listing is even so helpful as to show a picture of an actual Bank of China credit card being swiped through the reader, showing its really small size!
Major selling points and features are listed, but some are particularly striking for something that would pretend to have a legitimate use:
512 K bytes memory for storing more than 2,000 records of data
OK, so we can fit 2000 credit cards into this tiny thing. Useful.
3-track version can collect all three tracks data…
Meaning all the information needed to make a physical clone of a credit card, including the CVV1.
Password Protection defends user
… from law-enforcement officers trying to see what the waiter or gas station attendant had dumped onto the device, surely. Useful to deny criminal use of the thing. A self-destruct or auto-wipe button would be even better.
Transfer data to MSR206, MSR605 and MSR606 directly
This is a real kicker – transfer the skimmed credit card data directly to the magnetic stripe encoder models of choice in the carder “industry”! This means you don’t even need a computer to make physical copies of stolen credit cards, just connect the two devices and go!
Bi – Directional
So it’s eyes-free, battery powered, no need to pay attention while you swipe the customer’s card under the counter while he’s not looking.
My question to VeriFone – why don’t you write an open letter to eBay about the blatant trading of what are evidently skimming devices? None of the above ‘features’ can be found on Square’s device. Maybe register ebay-skim.com in the process. I just checked on GoDaddy, and it can be yours for just $11.99: