Verifone: Steal This Card Data

Written by Frank Hayes and Evan Schuman
March 9th, 2011

In an ironic move, payment security vendor VeriFone on Wednesday (March 9) posted a video showing how to turn a mobile payment device into an illegal skimming unit. Not only did it post a video depicting this technique, VeriFone also posted a skimming application it wrote and encouraged consumers to download it.

VeriFone did this all to attack a much smaller rival called Square, which it repeatedly identified by name. The ironies continue. VeriFone posted a special page for this content, including a domain name referencing its rival, Square: A key part of that page was a YouTube icon that would play the video. But YouTube quickly took down the video, breaking the link.

The video itself encouraged people to grab a copy of VeriFone’s application, which is designed to turn Square’s dongle into an unencrypted skimming device. VeriFone CEO Douglas Bergeron narrates the video and says the site is “where you can download the sample skimming application and see for yourself.” And yet, no such link exists on the page. The link was removed, just as the YouTube video was.

Late on Wednesday, VeriFone spokesman Peter Bartolik confirmed that the file had been removed. “The app has been taken down and won’t be restored.” Oddly, the reference on the page that the app can still be downloaded remains, albeit with no link, as of 9:30 AM Thursday (March 10).

Bartolik offered an explanation for the app’s removal: “It became evident that some observers were coming to the conclusion that VeriFone had made available an actual skimming app, which was not the case. The app we made publicly available was a demonstration app that showed an ability to read data from a Square device, but did not actually display or capture sensitive card data. However, in order to curtail further confusion, we have removed the demo app. The video is self explanatory.”

The only concern here is the point that “some observers were coming to the conclusion that VeriFone had made available an actual skimming app.” From their statement, it’s easy to see where that impression came from.

The statement, on VeriFone’s Web page, attributed to Bergeron, said: “In less than an hour, any reasonably skilled programmer can write an application that will ‘skim’—or steal—a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”

That’s pretty clearly stating that the application being referenced was skimming numbers. Bergeron’s statement later says, “See for yourself by downloading the sample skimming application.” Also, how could an application show “an ability to read data from a Square device” without actually doing it? The video showed the app doing its work—which is a demonstration of the app—but by also offering to download the actual “sample skimming application,” it’s hard to envision any other reasonable interpretation.


9 Comments | Read Verifone: Steal This Card Data

  1. Dan Stiel Says:

    Verifone’s PR team likely did everyone in the mobile payment space – including themselves – a big disservice by dissing Square with such a high-profile slam.

    Verifone failed to mention in their rhetoric that Square happens to be out-selling Verifone several-fold as their biggest competitor in mobile payments.

    Somehow, it seems there could be a better way for Verifone to showcase how its solution is better or safer than instilling fear in everyone that mobile payments as a service are somehow universally and inherently unsafe.

    The news coverage of Verifone’s PR campaign in newspapers like the Los Angeles Times and the blogs I’ve read tonight leads readers to conclude that all mobile payments “may not be safe” – including a number of writers questioning the security of Verifone’s own devices themselves.

    After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone.

    Yes, I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and “parts” that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square.

    The fact that Verifone is in mobile payments with a competitive product seems to paint Doug’s comments as more than just a little self-serving. After watching the video and reading his blog, I couldn’t help seeing Doug as the big bully in the school playground pushing the little kids around because the littlest guy got the prettiest girl.

    I just hope the bullying doesn’t inflict too deep or lasting damage to everyone in the mobile payments space.

  2. azmikey30 Says:

    Verifone and Square both ignored the elephant in the room….. the proliferation of malware on the handsets. It’s on PCs today and merely captures anything coming through a USB that looks or smells like a card number. Same thing on the handset.

    Square can talk all they want about JP Morgan, and sending texts. That’s all fine and good, but what happens when the guy selling couches at his yard sale processes a transaction and the handset has malware that sends the card data off to the Ukraine while simultaneously the Square application processes a “real” transaction. It will happen and Square has no way to protect against this type of problem because they chose to go the inexpensive route.

    The problem is not a fake app. The problem is data in the clear entering the handset. Verifone did not go far enough in their statement. Instead of going after Square, they could have mentioned Square and all the other stuff that is dangerous. Yes as consumer we are protected against fraud. However, when there is technology available (not just from Verifone) to protect consumers and companies choose not to use that technology for cost or other reasons, they should be called out.

    It has been mentioned that Verifone’s CEO is appearing as a bully. Perhaps. In my opinion, he showed restraint and going further would have called out Visa and MasterCard for failing to give consumers more secure cards. It’s one thing to call out a start-up. It’s something else to call out a behemoth. Dorsey, however, appears petulant and completely dismissing of the real issue. Either he doesn’t understand, or he doesn’t want to reveal the real problem. Not a chance in the world that I would give my card to someone using something like Square (and there are many other companies using the same readers).

  3. chris Says:

    Another clue this is clearly personal; in the video, when calling out the skimming thief, Bergeron states “the glass-blower”. That is a blatant reference to Dorsey’s partner when coming up with Square; he was a glass-blower. For me, that took the whole point of a pseudo-security alert to a petty schoolyard rant. #fail

  4. Steve Sommers Says:

    Wow. Provide the skimming program and a training video on how to install and use the skimmer. Now that’s a marketing campaign that’ll draw attention!

    There is a line between promoting your wares and simply ripping a competitor with FUD, and I would question the ethics of someone providing tools and videos on how to exploit a competitor. To me, this campaign brings the entire payments industry down a notch toward the gutter.

  5. Richard Haag Says:

    While I do not agree with Verifone’s approach, after spending the last year 10 years securing transaction infrastructures I can understand their frustration.

    Imagine if you just paid a significant amount of money to create and validate a PA-DSS product, and out of left field comes a new product that runs on a platform that my 8 year old uses to play Angry Birds. Worse, Acquirers who have told your customers to purchase only PA-DSS compliant apps have decided that the mandate does not apply to mobile apps. This is a platform that is connected to the Internet 24/7, is used to play music, games, download apps at the drop of a hat, and has security pros announcing hacks on a weekly basis.

    Meanwhile, your cellular enabled hardware terminal with integrated printer and keypad languishes in a never ending PA-DSS review.

    With that said, I think it is clear mobile payments are not going anywhere. Though it does remind me of the rush to the Internet by corporations in the mid-90’s (what could possibly go wrong). After some significant losses by a few, the rest appear to be getting it right and I am sure the same will be true for mobile payments.

    I do not actually know much about Square, but a brief review of their site suggests to me that the card swipe component is a gimmick, 2.75 for a card present transaction seems very high bordering on a Card Not Present fee. With that in mind is there really a difference between using a compiled mobile app with a card reader or browsing to one of hundreds of virtual terminals on the Internet today and typing a card in? I am sure Square’s pricing reflects removal of various other fees and in reality there simplicity of setup and fee structure probably has more to do with their success.

    Finally, the argument made by Square regarding the waiter is ridiculous. The issue here is specific to electronic transactions and does not center around a few hundred or thousand waiters that may lift a card or two, which will likely be traced back to them.

    Imagine if you can compromise 15-20(insert your own percentage, it does not matter) of the entire global waiter population, and against their will force them to steal every credit card they come into contact with and give it to you. Even better this may only take a couple of weeks worth of effort.

    I think it is safe to say that the waiter scenario above is unlikely. On a mobile phone it is probably already happening.

  6. Ray Says:

    I for one, would like to thank Doug Bergeron for this highly professional announcement which was clearly made with all of our safety and well being in mind. (Thank you sir!) In fact, I believe we are witnessing the beginning of a promising career in public service. I look forward to other important PSA’s from Mr Bergeron in the future. Thanks to Doug, we now know that a mag-stripe reader could be used to read cards with. Some say that his next announcement will be that prisoners can file a metal spoon into a shiv. Others say that his next announcement will be that you can put someone’s eye out with a sharp stick. Spoon and sharp stick makers everywhere: your days are numbered!

  7. Tom Siegler Says:

    The Square reader is a very simple device; no processor or memory. It costs about $1 to make. It is not able to encrypt data. It can not be key injected. The alternatives that do encrypt cost from $65 to $90. They generally do not work with a mobile phones. Readers from MagTek, UIC, ID Tech, can encrypt data. But that is the tip of the iceberg.

    Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals.

    The reader must be key injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gateway the transaction and charge a fee for the service. This was VeriFone’s and MagTek’s business model. All encrypted transactions would generate revenue. Nice business if you can get it.

    The reader must plug into some intelligent device with an APP that can handle the encrypted data. Encrypted data is binary garbage – random bits. The data size can be different from the standard, clear text data. Encrypting with the industry standard schemes – DES or AES tend to increase the size of the data. (They are “block ciphers.”)

    If the APP can handle the encrypted data format, the server, or whatever is next in the path also has to be specially designed. And so on until the data is decrypted. Spme data is protected under SSL/TLS. Again, not all. Assuming the reader encrypts at the point of swipe, it will at some point go clear text. There are several zones in the process. As of today, they are not all encrypted.

    The great majority of mag stripe readers in VeriFone, Hypercom, Ingenico, etc deployed products have no physical or logical security built in. They can be attacked and the data captured with a simple “bug.” The industry is just starting to adopt strong security for MSR devices and data.

    So let’s put Mr B’s message in context. Yes, data read by a Square MSR is in the clear. And yes, an APP could capture that data. But remember; the next time your card is swiped on an MSR or terminal, the odds are about 100k to 1 that the data will be captured and processed in the clear.

    (Editor’s Note: The author is in the payments space, as the VP Strategic Market Development at UIC USA.)

  8. kestler26 Says:

    Not sure what Tom Siegler is talking about. The whole reason the VeriFone Verishield Protect (VSP) solution is so simple to implement (and so revolutionary in my opinion) is the format preserving encryption. Once encrypted at the mag stripe the card PAN and track look like regular PAN and track to any POS software. The card data travels through your environment AES encrypted to an outside processer like First Data or Chase Paymentech where it is decrypted. You never have unencrypted card data in your environment. Yes it does cost something, but let me repeat…you never have unencrypted card data in your networks, it’s only unencrypted at an the outside processor. We implemented VSP with Mx860s and it is worth every penny.
    I should add that I think VeriFone embarrassed themselves the way they called out Square in the media like that. I know this is competitive business space but they way they did it was pretty unflattering and counterproductive to getting their message out. This is coming from a huge supporter of VeriFone and their products mind you.

  9. Tom Siegler Says:

    Kestler26 makes a valid point but misses mine. Some VeriFone products can encrypt at the terminal and are available with VeriShield FPE integration. The MX860 and VeriShield are nice products, if you are willing to pay for them.

    We will see more deployments of VSP and other data security methods. Heartland and Mercury have competing solutions to First Data and Chase. Retailers can literally build their own with off-the-shelf Host Security Modules and standards-based encrypting readers. Products from other vendors can encrypt MSR data. Some also have FPE. But very few are in use today.

    MSR data encryption is only available in a tiny percent of currently deployed POS devices. Of the billions of dollars of magnetic stripe card payments performed each year, a fraction of 1 are are encrypted on swipe. So I’m talking about the state of the industry… today’s reality.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.