Just a few short days after Verifone CEO Douglas G Bergeron announced that his company would be including NFC capability in all its new POS systems and outlined six virtuous rules they would follow to lead customers to the promised land, the hit job commenced.
The whole thing was too well orchestrated to be a coincidence with last weeks announcement, so we have to assume Verifone has been planning this for a while. From the newly created website dedicated to bashing Square, Bergeron posts an “open letter.”
“Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.
Don’t take our word for it. See for yourself by downloading the sample skimming application and viewing a video of this type of fraud in action.”
Yep, there’s a video and a down-loadable “app” that consumers can use to “test” the vulnerability of the Square system. Update: Verifone pulled the video from Youtube so you can only see it by going to the site and they have pulled the app.
That doesn’t bode well for this video staying up much longer but for now, the internet responds:
“We believe it is not in the best interest of the consumers, merchants and overall payment industry to publish the details of product designs describing potential attacks however remote those might be. Even if these attacks are difficult to be accomplished it gives the bad guys a leg up on research they would not have to do and encourages bad behavior.”
“Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to “skim” or copy numbers from a credit card. The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.”
For a detailed review of the situation check out Mike Puchol’s post.
“The “open letter” also has an elaborate video attached, with careful editing and effects, something that has taken time and effort. It looks like one of those ads thrown by politicians when they get into mud-slinging matches before elections, while not bringing anything new to what is said in the letter.
In addition, VeriFone has gone through the trouble of registering a custom domain name, sq-skim.com, which was registered through GoDaddy, and even further, uses GoDaddy’s Domains By Proxy privacy service to cloak who is behind the domain.
Finally, the letter lists “resources”, which are nothing but a bunch of links to marketing papers, articles negative towards Square, and “news” regarding skimming. The final touch is a “Be Secure Now” box with a big blue button that reads “Sign up for PAYware Mobile”.
“Square’s CEO Jack Dorsey responded quickly and hit back with an open letter of his own in which he simply states that Square’s approach is no less insecure than anyone else’s and reiterate that they have the complete confidence of their processing house, JPMorgan Chase. In a “I’m telling Dad on you” moment, VeriFone’s previous letter specifically called on JPMorgan Chase to comment on the matter.
So Square’s defense — that it’s no more insecure than “a pen and paper” — isn’t completely true (you can use a Square reader to record the CVV1 number, which is a bit more than you can copy with the naked eye), but is pretty solid. And VeriFone has managed to portray itself as a bullying older brother running scared of its talented younger sibling — quite the PR own goal. This commotion has probably ended up giving Square greater credibility (or, at a minimum, greater exposure).
Meanwhile, VeriFone’s accusations have revealed a deeper truth; not so much that there are flaws in Square’s process, but that the entire role played by magnetic stripe data in credit card handling is problematic.”