advertisement
advertisement

This is page 3 of:

Verifone: Steal This Card Data

March 9th, 2011

Stiel also addressed the encryption concerns. “I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and ‘parts’ that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square” and he added “After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone.”

Square CEO Jack Dorsey issued a brief statement on Square’s site reacting to VeriFone’s efforts. “Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card.”

Dorsey also alluded to the fact that the weakness in question has to start with a customer handing a payment card to the thief.

“Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to ‘skim’ or copy numbers from a credit card,” Dorsey said. “The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.”

VeriFone seems to have gone out of its way to try and provoke Square. In the video, the narration contrasts Square with “VeriFone and other reputable vendors.” VeriFone’s Web site has a permanent column labeled: “Square’s Ongoing Security Challenges.”

VeriFone’s Web page promised that, on March 9, it would turn over its application to various payment players. “Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express and JP Morgan Chase (Square’s credit card processor), and we invite their comments,” Bergeron said.

What makes that move interesting is Chase. Had VeriFone left it at the four largest card brands, company officials could have argued (whether it would be with a straight face or not is another question) that this was an honorable altruistic move to help the security community. But by publicly including Square’s processor, it makes it almost impossible to paint as anything other than a vindictive move against a much smaller competitor.

VeriFone’s campaign is especially odd because, though it’s apparently aimed at consumers, there’s probably not one consumer in 1,000 who would have any clue what VeriFone is talking about. Consumers don’t know about PCI or encryption. Consumers assume that retailers (and anyone else) they hand a payment card to has full access to the data on it and will keep that data as long as they like.

This is not to suggest that Square hasn’t had its own legal issues.

But card skimming has been easy and cheap for years. Wireless card readers cost less than the iPhone or iPad that a Square dongle plugs into, and one reputable magazine published an article a few years ago detailing how to build a magstripe reader for $40. Similar readers have been sold for other handheld devices for almost a decade.

It’s hard to envision the significance of it being easy to turn a mobile card swiping dongle into a card skimmer. First, it’s not that hard to do. Secondly, it’s only an issue if the thief already has access to the consumer’s credit card. And third, given the low costs of skimming for years, it seems unlikely that there are lots of thieves out there, who were awaiting an even cheaper skimming method. Skimmers have always been quite low cost.


advertisement

9 Comments | Read Verifone: Steal This Card Data

  1. Dan Stiel Says:

    Verifone’s PR team likely did everyone in the mobile payment space – including themselves – a big disservice by dissing Square with such a high-profile slam.

    Verifone failed to mention in their rhetoric that Square happens to be out-selling Verifone several-fold as their biggest competitor in mobile payments.

    Somehow, it seems there could be a better way for Verifone to showcase how its solution is better or safer than instilling fear in everyone that mobile payments as a service are somehow universally and inherently unsafe.

    The news coverage of Verifone’s PR campaign in newspapers like the Los Angeles Times and the blogs I’ve read tonight leads readers to conclude that all mobile payments “may not be safe” – including a number of writers questioning the security of Verifone’s own devices themselves.

    After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone.

    Yes, I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and “parts” that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square.

    The fact that Verifone is in mobile payments with a competitive product seems to paint Doug’s comments as more than just a little self-serving. After watching the video and reading his blog, I couldn’t help seeing Doug as the big bully in the school playground pushing the little kids around because the littlest guy got the prettiest girl.

    I just hope the bullying doesn’t inflict too deep or lasting damage to everyone in the mobile payments space.

  2. azmikey30 Says:

    Verifone and Square both ignored the elephant in the room….. the proliferation of malware on the handsets. It’s on PCs today and merely captures anything coming through a USB that looks or smells like a card number. Same thing on the handset.

    Square can talk all they want about JP Morgan, and sending texts. That’s all fine and good, but what happens when the guy selling couches at his yard sale processes a transaction and the handset has malware that sends the card data off to the Ukraine while simultaneously the Square application processes a “real” transaction. It will happen and Square has no way to protect against this type of problem because they chose to go the inexpensive route.

    The problem is not a fake app. The problem is data in the clear entering the handset. Verifone did not go far enough in their statement. Instead of going after Square, they could have mentioned Square and all the other stuff that is dangerous. Yes as consumer we are protected against fraud. However, when there is technology available (not just from Verifone) to protect consumers and companies choose not to use that technology for cost or other reasons, they should be called out.

    It has been mentioned that Verifone’s CEO is appearing as a bully. Perhaps. In my opinion, he showed restraint and going further would have called out Visa and MasterCard for failing to give consumers more secure cards. It’s one thing to call out a start-up. It’s something else to call out a behemoth. Dorsey, however, appears petulant and completely dismissing of the real issue. Either he doesn’t understand, or he doesn’t want to reveal the real problem. Not a chance in the world that I would give my card to someone using something like Square (and there are many other companies using the same readers).

  3. chris Says:

    Another clue this is clearly personal; in the video, when calling out the skimming thief, Bergeron states “the glass-blower”. That is a blatant reference to Dorsey’s partner when coming up with Square; he was a glass-blower. For me, that took the whole point of a pseudo-security alert to a petty schoolyard rant. #fail

  4. Steve Sommers Says:

    Wow. Provide the skimming program and a training video on how to install and use the skimmer. Now that’s a marketing campaign that’ll draw attention!

    There is a line between promoting your wares and simply ripping a competitor with FUD, and I would question the ethics of someone providing tools and videos on how to exploit a competitor. To me, this campaign brings the entire payments industry down a notch toward the gutter.

  5. Richard Haag Says:

    While I do not agree with Verifone’s approach, after spending the last year 10 years securing transaction infrastructures I can understand their frustration.

    Imagine if you just paid a significant amount of money to create and validate a PA-DSS product, and out of left field comes a new product that runs on a platform that my 8 year old uses to play Angry Birds. Worse, Acquirers who have told your customers to purchase only PA-DSS compliant apps have decided that the mandate does not apply to mobile apps. This is a platform that is connected to the Internet 24/7, is used to play music, games, download apps at the drop of a hat, and has security pros announcing hacks on a weekly basis.

    Meanwhile, your cellular enabled hardware terminal with integrated printer and keypad languishes in a never ending PA-DSS review.

    With that said, I think it is clear mobile payments are not going anywhere. Though it does remind me of the rush to the Internet by corporations in the mid-90’s (what could possibly go wrong). After some significant losses by a few, the rest appear to be getting it right and I am sure the same will be true for mobile payments.

    I do not actually know much about Square, but a brief review of their site suggests to me that the card swipe component is a gimmick, 2.75 for a card present transaction seems very high bordering on a Card Not Present fee. With that in mind is there really a difference between using a compiled mobile app with a card reader or browsing to one of hundreds of virtual terminals on the Internet today and typing a card in? I am sure Square’s pricing reflects removal of various other fees and in reality there simplicity of setup and fee structure probably has more to do with their success.

    Finally, the argument made by Square regarding the waiter is ridiculous. The issue here is specific to electronic transactions and does not center around a few hundred or thousand waiters that may lift a card or two, which will likely be traced back to them.

    Imagine if you can compromise 15-20(insert your own percentage, it does not matter) of the entire global waiter population, and against their will force them to steal every credit card they come into contact with and give it to you. Even better this may only take a couple of weeks worth of effort.

    I think it is safe to say that the waiter scenario above is unlikely. On a mobile phone it is probably already happening. http://news.cnet.com/8301-27080_3-10446402-245.html

  6. Ray Says:

    I for one, would like to thank Doug Bergeron for this highly professional announcement which was clearly made with all of our safety and well being in mind. (Thank you sir!) In fact, I believe we are witnessing the beginning of a promising career in public service. I look forward to other important PSA’s from Mr Bergeron in the future. Thanks to Doug, we now know that a mag-stripe reader could be used to read cards with. Some say that his next announcement will be that prisoners can file a metal spoon into a shiv. Others say that his next announcement will be that you can put someone’s eye out with a sharp stick. Spoon and sharp stick makers everywhere: your days are numbered!

  7. Tom Siegler Says:

    The Square reader is a very simple device; no processor or memory. It costs about $1 to make. It is not able to encrypt data. It can not be key injected. The alternatives that do encrypt cost from $65 to $90. They generally do not work with a mobile phones. Readers from MagTek, UIC, ID Tech, can encrypt data. But that is the tip of the iceberg.

    Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals.

    The reader must be key injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gateway the transaction and charge a fee for the service. This was VeriFone’s and MagTek’s business model. All encrypted transactions would generate revenue. Nice business if you can get it.

    The reader must plug into some intelligent device with an APP that can handle the encrypted data. Encrypted data is binary garbage – random bits. The data size can be different from the standard, clear text data. Encrypting with the industry standard schemes – DES or AES tend to increase the size of the data. (They are “block ciphers.”)

    If the APP can handle the encrypted data format, the server, or whatever is next in the path also has to be specially designed. And so on until the data is decrypted. Spme data is protected under SSL/TLS. Again, not all. Assuming the reader encrypts at the point of swipe, it will at some point go clear text. There are several zones in the process. As of today, they are not all encrypted.

    The great majority of mag stripe readers in VeriFone, Hypercom, Ingenico, etc deployed products have no physical or logical security built in. They can be attacked and the data captured with a simple “bug.” The industry is just starting to adopt strong security for MSR devices and data.

    So let’s put Mr B’s message in context. Yes, data read by a Square MSR is in the clear. And yes, an APP could capture that data. But remember; the next time your card is swiped on an MSR or terminal, the odds are about 100k to 1 that the data will be captured and processed in the clear.

    (Editor’s Note: The author is in the payments space, as the VP Strategic Market Development at UIC USA.)

  8. kestler26 Says:

    Not sure what Tom Siegler is talking about. The whole reason the VeriFone Verishield Protect (VSP) solution is so simple to implement (and so revolutionary in my opinion) is the format preserving encryption. Once encrypted at the mag stripe the card PAN and track look like regular PAN and track to any POS software. The card data travels through your environment AES encrypted to an outside processer like First Data or Chase Paymentech where it is decrypted. You never have unencrypted card data in your environment. Yes it does cost something, but let me repeat…you never have unencrypted card data in your networks, it’s only unencrypted at an the outside processor. We implemented VSP with Mx860s and it is worth every penny.
    I should add that I think VeriFone embarrassed themselves the way they called out Square in the media like that. I know this is competitive business space but they way they did it was pretty unflattering and counterproductive to getting their message out. This is coming from a huge supporter of VeriFone and their products mind you.

  9. Tom Siegler Says:

    Kestler26 makes a valid point but misses mine. Some VeriFone products can encrypt at the terminal and are available with VeriShield FPE integration. The MX860 and VeriShield are nice products, if you are willing to pay for them.

    We will see more deployments of VSP and other data security methods. Heartland and Mercury have competing solutions to First Data and Chase. Retailers can literally build their own with off-the-shelf Host Security Modules and standards-based encrypting readers. Products from other vendors can encrypt MSR data. Some also have FPE. But very few are in use today.

    MSR data encryption is only available in a tiny percent of currently deployed POS devices. Of the billions of dollars of magnetic stripe card payments performed each year, a fraction of 1 are are encrypted on swipe. So I’m talking about the state of the industry… today’s reality.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.