This is page 3 of:
Verifone: Steal This Card Data
Stiel also addressed the encryption concerns. “I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and ‘parts’ that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square” and he added “After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone.”
Square CEO Jack Dorsey issued a brief statement on Square’s site reacting to VeriFone’s efforts. “Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card.”
Dorsey also alluded to the fact that the weakness in question has to start with a customer handing a payment card to the thief.
“Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to ‘skim’ or copy numbers from a credit card,” Dorsey said. “The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card.”
VeriFone seems to have gone out of its way to try and provoke Square. In the video, the narration contrasts Square with “VeriFone and other reputable vendors.” VeriFone’s Web site has a permanent column labeled: “Square’s Ongoing Security Challenges.”
VeriFone’s Web page promised that, on March 9, it would turn over its application to various payment players. “Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express and JP Morgan Chase (Square’s credit card processor), and we invite their comments,” Bergeron said.
What makes that move interesting is Chase. Had VeriFone left it at the four largest card brands, company officials could have argued (whether it would be with a straight face or not is another question) that this was an honorable altruistic move to help the security community. But by publicly including Square’s processor, it makes it almost impossible to paint as anything other than a vindictive move against a much smaller competitor.
VeriFone’s campaign is especially odd because, though it’s apparently aimed at consumers, there’s probably not one consumer in 1,000 who would have any clue what VeriFone is talking about. Consumers don’t know about PCI or encryption. Consumers assume that retailers (and anyone else) they hand a payment card to has full access to the data on it and will keep that data as long as they like.
This is not to suggest that Square hasn’t had its own legal issues.
But card skimming has been easy and cheap for years. Wireless card readers cost less than the iPhone or iPad that a Square dongle plugs into, and one reputable magazine published an article a few years ago detailing how to build a magstripe reader for $40. Similar readers have been sold for other handheld devices for almost a decade.
It’s hard to envision the significance of it being easy to turn a mobile card swiping dongle into a card skimmer. First, it’s not that hard to do. Secondly, it’s only an issue if the thief already has access to the consumer’s credit card. And third, given the low costs of skimming for years, it seems unlikely that there are lots of thieves out there, who were awaiting an even cheaper skimming method. Skimmers have always been quite low cost.
-Marc
March 10th, 2011 at 6:17 am
Verifone’s PR team likely did everyone in the mobile payment space – including themselves – a big disservice by dissing Square with such a high-profile slam.
Verifone failed to mention in their rhetoric that Square happens to be out-selling Verifone several-fold as their biggest competitor in mobile payments.
Somehow, it seems there could be a better way for Verifone to showcase how its solution is better or safer than instilling fear in everyone that mobile payments as a service are somehow universally and inherently unsafe.
The news coverage of Verifone’s PR campaign in newspapers like the Los Angeles Times and the blogs I’ve read tonight leads readers to conclude that all mobile payments “may not be safe” – including a number of writers questioning the security of Verifone’s own devices themselves.
After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone.
Yes, I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and “parts” that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square.
The fact that Verifone is in mobile payments with a competitive product seems to paint Doug’s comments as more than just a little self-serving. After watching the video and reading his blog, I couldn’t help seeing Doug as the big bully in the school playground pushing the little kids around because the littlest guy got the prettiest girl.
I just hope the bullying doesn’t inflict too deep or lasting damage to everyone in the mobile payments space.
March 10th, 2011 at 12:23 pm
Verifone and Square both ignored the elephant in the room….. the proliferation of malware on the handsets. It’s on PCs today and merely captures anything coming through a USB that looks or smells like a card number. Same thing on the handset.
Square can talk all they want about JP Morgan, and sending texts. That’s all fine and good, but what happens when the guy selling couches at his yard sale processes a transaction and the handset has malware that sends the card data off to the Ukraine while simultaneously the Square application processes a “real” transaction. It will happen and Square has no way to protect against this type of problem because they chose to go the inexpensive route.
The problem is not a fake app. The problem is data in the clear entering the handset. Verifone did not go far enough in their statement. Instead of going after Square, they could have mentioned Square and all the other stuff that is dangerous. Yes as consumer we are protected against fraud. However, when there is technology available (not just from Verifone) to protect consumers and companies choose not to use that technology for cost or other reasons, they should be called out.
It has been mentioned that Verifone’s CEO is appearing as a bully. Perhaps. In my opinion, he showed restraint and going further would have called out Visa and MasterCard for failing to give consumers more secure cards. It’s one thing to call out a start-up. It’s something else to call out a behemoth. Dorsey, however, appears petulant and completely dismissing of the real issue. Either he doesn’t understand, or he doesn’t want to reveal the real problem. Not a chance in the world that I would give my card to someone using something like Square (and there are many other companies using the same readers).
March 10th, 2011 at 1:05 pm
Another clue this is clearly personal; in the video, when calling out the skimming thief, Bergeron states “the glass-blower”. That is a blatant reference to Dorsey’s partner when coming up with Square; he was a glass-blower. For me, that took the whole point of a pseudo-security alert to a petty schoolyard rant. #fail
March 10th, 2011 at 2:51 pm
Wow. Provide the skimming program and a training video on how to install and use the skimmer. Now that’s a marketing campaign that’ll draw attention!
There is a line between promoting your wares and simply ripping a competitor with FUD, and I would question the ethics of someone providing tools and videos on how to exploit a competitor. To me, this campaign brings the entire payments industry down a notch toward the gutter.
March 10th, 2011 at 7:59 pm
While I do not agree with Verifone’s approach, after spending the last year 10 years securing transaction infrastructures I can understand their frustration.
Imagine if you just paid a significant amount of money to create and validate a PA-DSS product, and out of left field comes a new product that runs on a platform that my 8 year old uses to play Angry Birds. Worse, Acquirers who have told your customers to purchase only PA-DSS compliant apps have decided that the mandate does not apply to mobile apps. This is a platform that is connected to the Internet 24/7, is used to play music, games, download apps at the drop of a hat, and has security pros announcing hacks on a weekly basis.
Meanwhile, your cellular enabled hardware terminal with integrated printer and keypad languishes in a never ending PA-DSS review.
With that said, I think it is clear mobile payments are not going anywhere. Though it does remind me of the rush to the Internet by corporations in the mid-90’s (what could possibly go wrong). After some significant losses by a few, the rest appear to be getting it right and I am sure the same will be true for mobile payments.
I do not actually know much about Square, but a brief review of their site suggests to me that the card swipe component is a gimmick, 2.75 for a card present transaction seems very high bordering on a Card Not Present fee. With that in mind is there really a difference between using a compiled mobile app with a card reader or browsing to one of hundreds of virtual terminals on the Internet today and typing a card in? I am sure Square’s pricing reflects removal of various other fees and in reality there simplicity of setup and fee structure probably has more to do with their success.
Finally, the argument made by Square regarding the waiter is ridiculous. The issue here is specific to electronic transactions and does not center around a few hundred or thousand waiters that may lift a card or two, which will likely be traced back to them.
Imagine if you can compromise 15-20(insert your own percentage, it does not matter) of the entire global waiter population, and against their will force them to steal every credit card they come into contact with and give it to you. Even better this may only take a couple of weeks worth of effort.
I think it is safe to say that the waiter scenario above is unlikely. On a mobile phone it is probably already happening. http://news.cnet.com/8301-27080_3-10446402-245.html
March 11th, 2011 at 5:12 pm
I for one, would like to thank Doug Bergeron for this highly professional announcement which was clearly made with all of our safety and well being in mind. (Thank you sir!) In fact, I believe we are witnessing the beginning of a promising career in public service. I look forward to other important PSA’s from Mr Bergeron in the future. Thanks to Doug, we now know that a mag-stripe reader could be used to read cards with. Some say that his next announcement will be that prisoners can file a metal spoon into a shiv. Others say that his next announcement will be that you can put someone’s eye out with a sharp stick. Spoon and sharp stick makers everywhere: your days are numbered!
March 15th, 2011 at 6:06 pm
The Square reader is a very simple device; no processor or memory. It costs about $1 to make. It is not able to encrypt data. It can not be key injected. The alternatives that do encrypt cost from $65 to $90. They generally do not work with a mobile phones. Readers from MagTek, UIC, ID Tech, can encrypt data. But that is the tip of the iceberg.
Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals.
The reader must be key injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gateway the transaction and charge a fee for the service. This was VeriFone’s and MagTek’s business model. All encrypted transactions would generate revenue. Nice business if you can get it.
The reader must plug into some intelligent device with an APP that can handle the encrypted data. Encrypted data is binary garbage – random bits. The data size can be different from the standard, clear text data. Encrypting with the industry standard schemes – DES or AES tend to increase the size of the data. (They are “block ciphers.”)
If the APP can handle the encrypted data format, the server, or whatever is next in the path also has to be specially designed. And so on until the data is decrypted. Spme data is protected under SSL/TLS. Again, not all. Assuming the reader encrypts at the point of swipe, it will at some point go clear text. There are several zones in the process. As of today, they are not all encrypted.
The great majority of mag stripe readers in VeriFone, Hypercom, Ingenico, etc deployed products have no physical or logical security built in. They can be attacked and the data captured with a simple “bug.” The industry is just starting to adopt strong security for MSR devices and data.
So let’s put Mr B’s message in context. Yes, data read by a Square MSR is in the clear. And yes, an APP could capture that data. But remember; the next time your card is swiped on an MSR or terminal, the odds are about 100k to 1 that the data will be captured and processed in the clear.
(Editor’s Note: The author is in the payments space, as the VP Strategic Market Development at UIC USA.)
March 17th, 2011 at 3:43 pm
Not sure what Tom Siegler is talking about. The whole reason the VeriFone Verishield Protect (VSP) solution is so simple to implement (and so revolutionary in my opinion) is the format preserving encryption. Once encrypted at the mag stripe the card PAN and track look like regular PAN and track to any POS software. The card data travels through your environment AES encrypted to an outside processer like First Data or Chase Paymentech where it is decrypted. You never have unencrypted card data in your environment. Yes it does cost something, but let me repeat…you never have unencrypted card data in your networks, it’s only unencrypted at an the outside processor. We implemented VSP with Mx860s and it is worth every penny.
I should add that I think VeriFone embarrassed themselves the way they called out Square in the media like that. I know this is competitive business space but they way they did it was pretty unflattering and counterproductive to getting their message out. This is coming from a huge supporter of VeriFone and their products mind you.
March 17th, 2011 at 5:26 pm
Kestler26 makes a valid point but misses mine. Some VeriFone products can encrypt at the terminal and are available with VeriShield FPE integration. The MX860 and VeriShield are nice products, if you are willing to pay for them.
We will see more deployments of VSP and other data security methods. Heartland and Mercury have competing solutions to First Data and Chase. Retailers can literally build their own with off-the-shelf Host Security Modules and standards-based encrypting readers. Products from other vendors can encrypt MSR data. Some also have FPE. But very few are in use today.
MSR data encryption is only available in a tiny percent of currently deployed POS devices. Of the billions of dollars of magnetic stripe card payments performed each year, a fraction of 1 are are encrypted on swipe. So I’m talking about the state of the industry… today’s reality.