Verifone: Steal This Card Data
Written by Frank Hayes and Evan SchumanIn an ironic move, payment security vendor VeriFone on Wednesday (March 9) posted a video showing how to turn a mobile payment device into an illegal skimming unit. Not only did it post a video depicting this technique, VeriFone also posted a skimming application it wrote and encouraged consumers to download it.
VeriFone did this all to attack a much smaller rival called Square, which it repeatedly identified by name. The ironies continue. VeriFone posted a special page for this content, including a domain name referencing its rival, Square: http://www.sq-skim.com/. A key part of that page was a YouTube icon that would play the video. But YouTube quickly took down the video, breaking the link.
The video itself encouraged people to grab a copy of VeriFone’s application, which is designed to turn Square’s dongle into an unencrypted skimming device. VeriFone CEO Douglas Bergeron narrates the video and says the site is “where you can download the sample skimming application and see for yourself.” And yet, no such link exists on the page. The link was removed, just as the YouTube video was.
Late on Wednesday, VeriFone spokesman Peter Bartolik confirmed that the file had been removed. “The app has been taken down and won’t be restored.” Oddly, the reference on the page that the app can still be downloaded remains, albeit with no link, as of 9:30 AM Thursday (March 10).
Bartolik offered an explanation for the app’s removal: “It became evident that some observers were coming to the conclusion that VeriFone had made available an actual skimming app, which was not the case. The app we made publicly available was a demonstration app that showed an ability to read data from a Square device, but did not actually display or capture sensitive card data. However, in order to curtail further confusion, we have removed the demo app. The video is self explanatory.”
The only concern here is the point that “some observers were coming to the conclusion that VeriFone had made available an actual skimming app.” From their statement, it’s easy to see where that impression came from.
The statement, on VeriFone’s Web page, attributed to Bergeron, said: “In less than an hour, any reasonably skilled programmer can write an application that will ‘skim’—or steal—a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”
That’s pretty clearly stating that the application being referenced was skimming numbers. Bergeron’s statement later says, “See for yourself by downloading the sample skimming application.” Also, how could an application show “an ability to read data from a Square device” without actually doing it? The video showed the app doing its work—which is a demonstration of the app—but by also offering to download the actual “sample skimming application,” it’s hard to envision any other reasonable interpretation.
-Marc
March 10th, 2011 at 6:17 am
Verifone’s PR team likely did everyone in the mobile payment space – including themselves – a big disservice by dissing Square with such a high-profile slam.
Verifone failed to mention in their rhetoric that Square happens to be out-selling Verifone several-fold as their biggest competitor in mobile payments.
Somehow, it seems there could be a better way for Verifone to showcase how its solution is better or safer than instilling fear in everyone that mobile payments as a service are somehow universally and inherently unsafe.
The news coverage of Verifone’s PR campaign in newspapers like the Los Angeles Times and the blogs I’ve read tonight leads readers to conclude that all mobile payments “may not be safe” – including a number of writers questioning the security of Verifone’s own devices themselves.
After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone.
Yes, I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and “parts” that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square.
The fact that Verifone is in mobile payments with a competitive product seems to paint Doug’s comments as more than just a little self-serving. After watching the video and reading his blog, I couldn’t help seeing Doug as the big bully in the school playground pushing the little kids around because the littlest guy got the prettiest girl.
I just hope the bullying doesn’t inflict too deep or lasting damage to everyone in the mobile payments space.
March 10th, 2011 at 12:23 pm
Verifone and Square both ignored the elephant in the room….. the proliferation of malware on the handsets. It’s on PCs today and merely captures anything coming through a USB that looks or smells like a card number. Same thing on the handset.
Square can talk all they want about JP Morgan, and sending texts. That’s all fine and good, but what happens when the guy selling couches at his yard sale processes a transaction and the handset has malware that sends the card data off to the Ukraine while simultaneously the Square application processes a “real” transaction. It will happen and Square has no way to protect against this type of problem because they chose to go the inexpensive route.
The problem is not a fake app. The problem is data in the clear entering the handset. Verifone did not go far enough in their statement. Instead of going after Square, they could have mentioned Square and all the other stuff that is dangerous. Yes as consumer we are protected against fraud. However, when there is technology available (not just from Verifone) to protect consumers and companies choose not to use that technology for cost or other reasons, they should be called out.
It has been mentioned that Verifone’s CEO is appearing as a bully. Perhaps. In my opinion, he showed restraint and going further would have called out Visa and MasterCard for failing to give consumers more secure cards. It’s one thing to call out a start-up. It’s something else to call out a behemoth. Dorsey, however, appears petulant and completely dismissing of the real issue. Either he doesn’t understand, or he doesn’t want to reveal the real problem. Not a chance in the world that I would give my card to someone using something like Square (and there are many other companies using the same readers).
March 10th, 2011 at 1:05 pm
Another clue this is clearly personal; in the video, when calling out the skimming thief, Bergeron states “the glass-blower”. That is a blatant reference to Dorsey’s partner when coming up with Square; he was a glass-blower. For me, that took the whole point of a pseudo-security alert to a petty schoolyard rant. #fail
March 10th, 2011 at 2:51 pm
Wow. Provide the skimming program and a training video on how to install and use the skimmer. Now that’s a marketing campaign that’ll draw attention!
There is a line between promoting your wares and simply ripping a competitor with FUD, and I would question the ethics of someone providing tools and videos on how to exploit a competitor. To me, this campaign brings the entire payments industry down a notch toward the gutter.
March 10th, 2011 at 7:59 pm
While I do not agree with Verifone’s approach, after spending the last year 10 years securing transaction infrastructures I can understand their frustration.
Imagine if you just paid a significant amount of money to create and validate a PA-DSS product, and out of left field comes a new product that runs on a platform that my 8 year old uses to play Angry Birds. Worse, Acquirers who have told your customers to purchase only PA-DSS compliant apps have decided that the mandate does not apply to mobile apps. This is a platform that is connected to the Internet 24/7, is used to play music, games, download apps at the drop of a hat, and has security pros announcing hacks on a weekly basis.
Meanwhile, your cellular enabled hardware terminal with integrated printer and keypad languishes in a never ending PA-DSS review.
With that said, I think it is clear mobile payments are not going anywhere. Though it does remind me of the rush to the Internet by corporations in the mid-90’s (what could possibly go wrong). After some significant losses by a few, the rest appear to be getting it right and I am sure the same will be true for mobile payments.
I do not actually know much about Square, but a brief review of their site suggests to me that the card swipe component is a gimmick, 2.75 for a card present transaction seems very high bordering on a Card Not Present fee. With that in mind is there really a difference between using a compiled mobile app with a card reader or browsing to one of hundreds of virtual terminals on the Internet today and typing a card in? I am sure Square’s pricing reflects removal of various other fees and in reality there simplicity of setup and fee structure probably has more to do with their success.
Finally, the argument made by Square regarding the waiter is ridiculous. The issue here is specific to electronic transactions and does not center around a few hundred or thousand waiters that may lift a card or two, which will likely be traced back to them.
Imagine if you can compromise 15-20(insert your own percentage, it does not matter) of the entire global waiter population, and against their will force them to steal every credit card they come into contact with and give it to you. Even better this may only take a couple of weeks worth of effort.
I think it is safe to say that the waiter scenario above is unlikely. On a mobile phone it is probably already happening. http://news.cnet.com/8301-27080_3-10446402-245.html
March 11th, 2011 at 5:12 pm
I for one, would like to thank Doug Bergeron for this highly professional announcement which was clearly made with all of our safety and well being in mind. (Thank you sir!) In fact, I believe we are witnessing the beginning of a promising career in public service. I look forward to other important PSA’s from Mr Bergeron in the future. Thanks to Doug, we now know that a mag-stripe reader could be used to read cards with. Some say that his next announcement will be that prisoners can file a metal spoon into a shiv. Others say that his next announcement will be that you can put someone’s eye out with a sharp stick. Spoon and sharp stick makers everywhere: your days are numbered!
March 15th, 2011 at 6:06 pm
The Square reader is a very simple device; no processor or memory. It costs about $1 to make. It is not able to encrypt data. It can not be key injected. The alternatives that do encrypt cost from $65 to $90. They generally do not work with a mobile phones. Readers from MagTek, UIC, ID Tech, can encrypt data. But that is the tip of the iceberg.
Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals.
The reader must be key injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gateway the transaction and charge a fee for the service. This was VeriFone’s and MagTek’s business model. All encrypted transactions would generate revenue. Nice business if you can get it.
The reader must plug into some intelligent device with an APP that can handle the encrypted data. Encrypted data is binary garbage – random bits. The data size can be different from the standard, clear text data. Encrypting with the industry standard schemes – DES or AES tend to increase the size of the data. (They are “block ciphers.”)
If the APP can handle the encrypted data format, the server, or whatever is next in the path also has to be specially designed. And so on until the data is decrypted. Spme data is protected under SSL/TLS. Again, not all. Assuming the reader encrypts at the point of swipe, it will at some point go clear text. There are several zones in the process. As of today, they are not all encrypted.
The great majority of mag stripe readers in VeriFone, Hypercom, Ingenico, etc deployed products have no physical or logical security built in. They can be attacked and the data captured with a simple “bug.” The industry is just starting to adopt strong security for MSR devices and data.
So let’s put Mr B’s message in context. Yes, data read by a Square MSR is in the clear. And yes, an APP could capture that data. But remember; the next time your card is swiped on an MSR or terminal, the odds are about 100k to 1 that the data will be captured and processed in the clear.
(Editor’s Note: The author is in the payments space, as the VP Strategic Market Development at UIC USA.)
March 17th, 2011 at 3:43 pm
Not sure what Tom Siegler is talking about. The whole reason the VeriFone Verishield Protect (VSP) solution is so simple to implement (and so revolutionary in my opinion) is the format preserving encryption. Once encrypted at the mag stripe the card PAN and track look like regular PAN and track to any POS software. The card data travels through your environment AES encrypted to an outside processer like First Data or Chase Paymentech where it is decrypted. You never have unencrypted card data in your environment. Yes it does cost something, but let me repeat…you never have unencrypted card data in your networks, it’s only unencrypted at an the outside processor. We implemented VSP with Mx860s and it is worth every penny.
I should add that I think VeriFone embarrassed themselves the way they called out Square in the media like that. I know this is competitive business space but they way they did it was pretty unflattering and counterproductive to getting their message out. This is coming from a huge supporter of VeriFone and their products mind you.
March 17th, 2011 at 5:26 pm
Kestler26 makes a valid point but misses mine. Some VeriFone products can encrypt at the terminal and are available with VeriShield FPE integration. The MX860 and VeriShield are nice products, if you are willing to pay for them.
We will see more deployments of VSP and other data security methods. Heartland and Mercury have competing solutions to First Data and Chase. Retailers can literally build their own with off-the-shelf Host Security Modules and standards-based encrypting readers. Products from other vendors can encrypt MSR data. Some also have FPE. But very few are in use today.
MSR data encryption is only available in a tiny percent of currently deployed POS devices. Of the billions of dollars of magnetic stripe card payments performed each year, a fraction of 1 are are encrypted on swipe. So I’m talking about the state of the industry… today’s reality.