UPDATED (x3). Internet payment firm VeriFone today released an open letter, with the stated intent of alerting consumers to the risks inherent in using rival Square’s method of mobile payments. Square allows you to use a free dongle that plugs into the headset jack of your iOS or Android device to accept credit card payments. VeriFone found you can easily create an app that uses the dongle to skim financial and personal info from a user’s credit card, so it went ahead and created one.
In his open letter regarding the exploit, VeriFone CEO Douglas G. Bergeron explained how it works:
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
VeriFone even went so far as to release the version of the fake Square app it created to the public as an .ipa/provisioning file combo for installation on your iPhone or iPad. The company is sending that same app to Visa, MasterCard, Discover, American Express and JP Morgan Chase for their consideration.
There’s no denying that Square presents a risk to consumers in the manner indicated by VeriFone. The app does indeed do what it says on the tin, providing a way for motivated criminals to acquire and potentially abuse the sensitive personal info of duped credit card holders. But there’s also no denying that VeriFone has a considerable vested interest in seeing Square fail.
VeriFone is in the business of securing digital transactions. It entered the mobile payment game shortly after Square, going head-to-head with Square using its own PayWARE mobile payment hardware and app for iPhone, and
just this month last year it announced Apple Store availability for that PayWARE product. VeriFone obviously wouldn’t include this in its open letter, but it’s at war with Square.
Exposing Square’s security vulnerabilities in this manner is an act of outright hostility on VeriFone’s part, and a sign that it’s unnerved by Square’s growth. Not only did the company create an app that specifically targeted Square’s payment system, it publicly released the finished product of that effort for public distribution. I contacted VeriFone and Square to see if the company made this info available to Square privately before going public, but I’ve yet to hear back. If this move is coming at Square out of the blue, it’s a severely murky ethical move on VeriFone’s part, since normally, white-hat hackers (those who don’t intend to use exploits for malicious purposes) privately approach companies to get them to address vulnerabilities without going public. Technology and intellectual property lawyer Evan Brown of Internet Cases had this to say about the ethics of VeriFone’s actions:
In my mind this isn’t so much of a legal issue as it is an ethical one. And in all this we’ve got to stay aware of VeriFone’s motives. Naturally it views Square as a competitive threat, or at least as a threat to the integrity of that industry. The question refines itself into an inquiry of whether VeriFone has gone too far by doing this, or in other words, whether the benefit created by releasing this application into the wild (awareness raising) outweighs the real potential for the technology to be used for harm. Was it really necessary to put the skimming technology into the marketplace, thereby placing real consumer money at risk to make the point? It’s a great question for utilitarian philosophers to ponder. Personally, I’m hard-pressed to find a good philosophical justification for actually releasing a technology that has stealing money as its main purpose.
The exploit’s release could even be legally questionable, since if the code released is used for illegal purposes, VeriFone could even be subject to prosecution, as happened with PS3 hacker Geohot. Brown shared his thoughts with me about whether VeriFone could potentially be subject to any legal recourse on the part of Square or users who might be affected by malicious use of this tool:
It’s interesting to consider whether a victim of theft committed by this tool could sue VeriFone for what one might call “contributory” theft. The victim could borrow from copyright law on this: remember Grokster. The courts shut down Grokster because it marketed that tool as an instrument to commit copyright infringement. But a claim like this would definitely have its difficulties — Grokster lost because of the way it marketed the product, i.e., “go use this to infringe.” VeriFone has cloaked its communications in the name of public service — “we’re releasing this to show how bad Square is.” There’s an important difference there, one that would likely protect VeriFone if a victim were to take it to task.
Another angle involves copyright again — it would be interesting to know whether and to what extent VeriFone had to use any code proprietary to Square to develop the skimming application. That might give it some copyright infringement problems. I have no idea whether it had to or not. Similarly, did VeriFone have to circumvent any of Square’s DRM to create the application? That could give VeriFone problems under the anticircumvention provisions of the DMCA.
In short, VeriFone looks to have mostly covered its back with regard to any serious legal implications, but that doesn’t mean this isn’t still a very aggressive and ethically questionable move. This is an ugly turn in an already steeped battle, and we’ll keep you updated if and when hear back from both sides.
UPDATE: Edelman PR VP Victoria Brown got back to us with official comment from Verifone. In response to the question of whether or not Square was notified in advance that this vulnerability existed, she had this to say:
The devices are already in the market, so we felt there was a compelling need to alert the public. Square has known about its security flaws for months now (and we were not the first to point it out), but has chosen to ignore the issue and focus on doing whatever it can to boost the numbers of those systems out there.
UPDATE 2: Brown also shared this comment regarding the legality of the app released by VeriFone to demonstrate the Square vulnerability:
The app VeriFone published is a demo version and does not contain source code so it cannot be used for skimming.
This means that the VeriFone demo app then probably can’t lead to any legal action on the part of users or Square.
UPDATE 3: VeriFone has taken down the demo app it created, and the video of the app in action since this post was originally published, so neither are available in the updated version of VeriFone CEO Douglas Bergeron’s open letter linked above.
We have yet to hear from Square, but we’ll update again as needed.
Related content from GigaOM Pro (sub req’d):