It’s hip to be Square

In 2011, it is once again hip to be square. Not in the 1980’s hit song Huey Lewis and The News sense, more’s the pity, but in the mobile banking payments sense, where a 2009 startup, Square, is leading the charge into the mobile payments space. But they don’t have the market to themselves and both proprietary credit card systems and other platform agnostic competitors are ramping up their efforts and their dislike for the company they see as the market leader.

A bit of background about Square. Square is a fantastic little company making waves in mobile banking and the US financials space as the builders of, what effectively amounts to a mobile credit-card payment dongle. The dongle, pictured below, plugs right into any audio socket on any iPhone, iPad and Android device, allowing the user to take payments quickly and easily, anywhere any time.

Square’s website says “Square enables people from all walks of life to accept credit and debit cards. Taxi drivers can get paid quickly without dealing with the headache of printers, pens and paper; a pastry chef that only sells at seasonal farmer’s markets now can accept payments without getting charged a monthly fee; food trucks now have a simple and mobile way to migrate from being limited to cash. You can even have your friend that owes you $20 pay you with their card since their wallet always seems to be empty when you remind them about it.”

Open to the major smartphone operating systems, Square is poised for growth unlike most other companies in its space. And its the ease-of-adoption factor which makes Square in particular so appealing. Anyone carrying an Apple or Android smartphone or tablet product can use Square.

And, importantly for both the money taker and the money payee, Square’s platform is credit-card agnostic. Square is as open as it can be, accepting payments from anyone, anytime, anywhere (in the US).

With any successful rise in an industry, particularly one as hot as mobile payments, there will be detractors. Overnight, Verifone’s CEO, Doug Bergeron wrote an “open letter” to the US finance industry claiming that Square’s services have serious security holes.

“Bergeron claims that anyone can “skim” or steal personal information off of a credit card’s magnetic strip using the Square card reader with a hacked app and to illustrate the vulnerability, VeriFone wrote a test app that can “skim” to prove their assertions.

VeriFone says the flaw is in Square’s hardware, which the company says lacks the ability to encrypt credit card data. It’s unclear if VeriFone’s claims have grounds, but it is a serious move on VeriFone’s part to call out a competitor publicly.” writes, Leena Rao for Techcrunch.

The letter, posted in full at the bottom of this post, says in part : In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

That may well be true but what the letter doesn’t say is that Verifone just happens to have its own competing product to Square’s and virtually the same thing can be said about its product offering. There’s nothing to suggest that an app couldn’t be written to mimic Verifone’s too. Verifone’s open letter also completely ignores the fact that a consumers money is protected by the credit card companies where fraud is reported.

Square hasn’t yet made a formal response, they seem, at least for the moment, to be waiting to see what the industry’s and media’s response is. And if that really is their tactic they might do well to wait it out as many social, tech, gadget and mobile media organisations are all highlighting that the ‘Square flaws’ are equally applicable to the company bringing them to light.

There isn’t a scheduled release plan for Square or Verifone to make their appearance in international markets – at least none that have been made public, but one can only assume and hope its a matter of time. With a smartphone market is set to double in size in the next two to three years in the US alone, not to mention global expansion possibilities to high-smartphone adopting nations such as the UK, Japan, China and Australia the mobile payments space is set to only get more fierce and competitive. If the big US players don’t arrive on Aussie shores soon, we may well see a local startup version in the mobile payment space.

Domestically, Australian banks and other financial institutions would do well to be early adopters of this technology. The appeal of doing business with upwardly mobile businesses, being seen as a progressive organisation while appealing to the broadest possible market through platform agnostic mobile delivery is a potential gold mine for growth.

Doing so would dovetail nicely into operational, product and marketing strategies that involve adoption of tangible value-add mobile products and mobile+social marketing integration – as well as creating a new market place with tens of thousands of small and micro-SME’s. And who knows where today’s SME’s will be in ten or fifteen years time. With the right growth strategies and wholesale funding products, the sky’s the limit.

—————-

The open letter to the industry from Verifone is below:

An Open Letter to the Industry and Consumers

Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

Let me explain how easy it is to exploit the vulnerability.

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

There are hundreds of thousands of these unsecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.

Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.

Don’t take our word for it. See for yourself at http://www.sq-skim.com where you can download the sample skimming application and view a video of this type of fraud in action.

Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), and we invite their comments.

Consumer trust is what’s really at stake. If the industry allows Square and other similar attempts to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure and financial systems developed over the last three decades.

Secure payment systems, like those provided by VeriFone and other credible providers which adhere to the highest level of security practices, are critical in protecting consumers, merchants and banks. Without this protection, all commerce – conducted with plastic or mobile devices – is a catalyst for massive personal and institutional financial loss.

There is great promise in the future of mobile payments and our innovations will help drive the industry forward. It is our hope that both consumers and merchants will take it upon themselves to become educated on the security risks involved with some of these experimental payment acceptance methods, like Square, and make informed decisions to protect themselves and their customers.

We take security very seriously. Securing payment transactions is what we do, and yes – calling attention to and protecting against these types of security threats to consumers, merchants and banks is our responsibility.

We call on Square to do the responsible thing and recall these card skimming devices from the market.

Doug Bergeron
CEO, VeriFone

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s