18 Comments

Summary:

Internet payment firm VeriFone found that you can easily create an app that uses the payment dongle employed by its competitor Square to skim financial and personal info from a user’s credit card, so it went ahead and created one and released it to the public.

square1-e1294690220345

UPDATED (x3). Internet payment firm VeriFone today released an open letter, with the stated intent of alerting consumers to the risks inherent in using rival Square’s method of mobile payments. Square allows you to use a free dongle that plugs into the headset jack of your iOS or Android device to accept credit card payments. VeriFone found you can easily create an app that uses the dongle to skim financial and personal info from a user’s credit card, so it went ahead and created one.

In his open letter regarding the exploit, VeriFone CEO Douglas G. Bergeron explained how it works:

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

VeriFone even went so far as to release the version of the fake Square app it created to the public as an .ipa/provisioning file combo for installation on your iPhone or iPad. The company is sending that same app to Visa, MasterCard, Discover, American Express and JP Morgan Chase for their consideration.

There’s no denying that Square presents a risk to consumers in the manner indicated by VeriFone. The app does indeed do what it says on the tin, providing a way for motivated criminals to acquire and potentially abuse the sensitive personal info of duped credit card holders. But there’s also no denying that VeriFone has a considerable vested interest in seeing Square fail.

VeriFone is in the business of securing digital transactions. It entered the mobile payment game shortly after Square, going head-to-head with Square using its own PayWARE mobile payment hardware and app for iPhone, and just this month last year it announced Apple Store availability for that PayWARE product. VeriFone obviously wouldn’t include this in its open letter, but it’s at war with Square.

Exposing Square’s security vulnerabilities in this manner is an act of outright hostility on VeriFone’s part, and a sign that it’s unnerved by Square’s growth. Not only did the company create an app that specifically targeted Square’s payment system, it publicly released the finished product of that effort for public distribution. I contacted VeriFone and Square to see if the company made this info available to Square privately before going public, but I’ve yet to hear back. If this move is coming at Square out of the blue, it’s a severely murky ethical move on VeriFone’s part, since normally, white-hat hackers (those who don’t intend to use exploits for malicious purposes) privately approach companies to get them to address vulnerabilities without going public. Technology and intellectual property lawyer Evan Brown of Internet Cases had this to say about the ethics of VeriFone’s actions:

In my mind this isn’t so much of a legal issue as it is an ethical one. And in all this we’ve got to stay aware of VeriFone’s motives. Naturally it views Square as a competitive threat, or at least as a threat to the integrity of that industry. The question refines itself into an inquiry of whether VeriFone has gone too far by doing this, or in other words, whether the benefit created by releasing this application  into the wild (awareness raising) outweighs the real potential for the technology to be used for harm. Was it really necessary to put the skimming technology into the marketplace, thereby placing real consumer money at risk to make the point? It’s a great question for utilitarian philosophers to ponder. Personally, I’m hard-pressed to find a good philosophical justification for actually releasing a technology that has stealing money as its main purpose.

The exploit’s release could even be legally questionable, since if the code released is used for illegal purposes, VeriFone could even be subject to prosecution, as happened with PS3 hacker Geohot. Brown shared his thoughts with me about whether VeriFone could potentially be subject to any legal recourse on the part of Square or users who might be affected by malicious use of this tool:

It’s interesting to consider whether a victim of theft committed by this tool could sue VeriFone for what one might call “contributory” theft. The victim could borrow from copyright law on this: remember Grokster.  The courts shut down Grokster because it marketed that tool as an instrument to commit copyright infringement. But a claim like this would definitely have its difficulties — Grokster lost because of the way it marketed the product, i.e., “go use this to infringe.” VeriFone has cloaked its communications in the name of public service — “we’re releasing this to show how bad Square is.” There’s an important difference there, one that would likely protect VeriFone if a victim were to take it to task.

Another angle involves copyright again — it would be interesting to know whether and to what extent VeriFone had to use any code proprietary to Square to develop the skimming application. That might give it some copyright infringement problems. I have no idea whether it had to or not. Similarly, did VeriFone have to circumvent any of Square’s DRM to create the application? That could give VeriFone problems under the anticircumvention provisions of the DMCA.

In short, VeriFone looks to have mostly covered its back with regard to any serious legal implications, but that doesn’t mean this isn’t still a very aggressive and ethically questionable move. This is an ugly turn in an already steeped battle, and we’ll keep you updated if and when hear back from both sides.

UPDATE: Edelman PR VP Victoria Brown got back to us with official comment from Verifone. In response to the question of whether or not Square was notified in advance that this vulnerability existed, she had this to say:

The devices are already in the market, so we felt there was a compelling need to alert the public. Square has known about its security flaws for months now (and we were not the first to point it out), but has chosen to ignore the issue and focus on doing whatever it can to boost the numbers of those systems out there.

UPDATE 2: Brown also shared this comment regarding the legality of the app released by VeriFone to demonstrate the Square vulnerability:

The app VeriFone published is a demo version and does not contain source code so it cannot be used for skimming.

This means that the VeriFone demo app then probably can’t lead to any legal action on the part of users or Square.

UPDATE 3: VeriFone has taken down the demo app it created, and the video of the app in action since this post was originally published, so neither are available in the updated version of VeriFone CEO Douglas Bergeron’s open letter linked above.

We have yet to hear from Square, but we’ll update again as needed.

Related content from GigaOM Pro (sub req’d):

  1. “release the version of the fake Square app it created to the public as an .ipa/provisioning file combo”

    The open letter states you can download it. I don’t see a link to that on the “skim” site.

    Apple doesn’t allow third-party distribution of apps in this fashion, either. The description you provide is for ad hoc distribution in which up to 100 specifically identifying iOS device IDs are added by the developer, which enables the use of the provisioning certificate. Without that encoding, the IPA (program file) cannot be run even with the certificate installed.

    VeriFone likely has an enterprise license from Apple, which allows in-house distribution of apps, but this is not permitted for distributing apps to other parties.

    If VeriFone has created a method in which it can provide an iOS app to any arbitrary party without using ad hoc distribution and the limit included, Apple will likely pull its ticket and disable the app and other features of VeriFone’s development environment.

    Share
  2. I use the Square device every weekend and I see how this sounds bad, but the person/potential victim is handing me their credit card and watching me swipe it in the context of a sale. I’m not sure what the big deal is. I still need the credit card. If I can steal their physical credit card to swipe it with my modded Square device, I can do the same thing with a pencil and paper, can’t I?

    Share
  3. Thanks for getting an attorney’s opinion involved as it helps bring some clarity. Still not sure I buy into the “VeriFone has cloaked its communications in the name of public service” arguement, as this could have also been accomplished by disclosing the app privately to J.P. Morgan and the credit card companies, without releasing it for public download. But then again I am an accountant, not an attorney. Yet as such, I know the frustrations many business owners experience with credit card processors.

    Share
  4. No copyright infringement or code stealing needed, and certainly no DRM involved. Home-brew card-readers have been around for decades; it isn’t a complex standard – part of why “skimmers” at ATM’s and Gas stations are such a problem.

    The Square reader simply adds some amplification tot he magnetic reader head to send the signal through the audio jack; all processing is in the iPhone/Android. All the security is in the communications with the payment Gateway/Processor – same as for ANY device, even VeriFone’s readers. You have to trust that the person swiping your card is honest, and using a “real” device.

    VeriFone is simply creating FUD – fear, uncertainty, doubt. When you swipe your card through a VeriFone-labeled box, you are trusting that the label accurately represents what’s in the box – same for ATM for Gas Station. Also the same for a website – you have to trust that the screens and inputs you get are real.

    In this sense, VeriFone and Square are neither more reliable or secure than the other. It may be easier to “fake-up” the small square reader – but I’d bet it wouldn’t be hard to find a used VeriFone card scanner on craigslist or wherever, gut it, and make a skimmer.

    Share
  5. There are plenty of smaller, more suited-for-the-job skimming devices available, and have been for years. Hey, here is a tiny, battery-powered one, right on eBay! http://bit.ly/fFGIWh

    Besides, VeriFone violated Apple’s TOS when they released software using the internal Enterprise App distribution method, which is NOT allowed for public release.

    Share
  6. Is there some implication here that their own mobile payment hardware can’t be used in a similar manner? I don’t see any reason to think that wouldn’t be the case. I’d assume that if the hardware sends the data to the iPhone, it can be captured by a custom app.

    Share
  7. Even more blabber:

    “The devices are already in the market, so we felt there was a compelling need to alert the public.”

    Same as Windows has been in the market too, and it doesn’t mean security researchers go around publishing exploits without first notifying Microsoft. VeriFon went as far as publishing a PoC demonstrating the “flaw”, and making a video about the issue. This is taking things way further than a normal advisory would. Hate is the word, fear the motivation.

    Share
  8. If consumers really fear that their credit card information could be stolen, then they should also realize that scammers can by a USB magnet-stripe reader on Amazon for under $10 and just as easily create software for a computer to do the same thing. If ANYONE has gone to a trade show booth they should know the threat is just a real there as it would be with a mobile device. It comes down to consumers having good judgement and buying from people they trust. Gmail didn’t stop their email service just because Yahoo knows how to create Phishing emails.

    The reading device itself is irrelevant. Get over it VeriFone.

    Share
  9. When I read your updated question about whether Square was given any notice by VeriFone, their response seemed evasive. In an article on CW, they did confirm no notice was given as to the intent create a downloadable app or post a now banned video on youtube, apparently they can not even be transparent with the media either.

    If possible I will for go using companies the use Veriphone.

    Share
  10. There is something eerily similar what’s going on in the Middle East and VeriFone attack on square today. Not only does VeriFone not understand the world as it is today with regards to Internet, connectivity and social networks. The Verifone CEO like the dictators in the Middle East, are putting out propaganda and fear in order to get their constituents (merchants) to ignore the realities of the market and keep the status quo (buying their terminals).

    This already smells like a tremendous PR fiasco and for sure it puts their CEO in a questionable position of leadership for messing things up twice for the company. VeriFone shareholders should be extremely concerned about the companies disconnect to the realities of the market and the opportunities that are being missed by not having a vision.

    Share
  11. No trackbacks? My response to the VeriFone “open letter”:

    http://mikepuchol.com/2011/03/09/verifon-and-its-open-letter-against-square/

    As for the video, it was removed by YouTube for TOS violations, and VeriFone has uploaded it to Vimeo Brightcove, and updated the embedded link on sq-skim.com. IMHO, very lame…

    Share
    1. Mike, as of the time of the latest update, the embedded link is gone from the open letter.

      Share
      1. Cyndy, check again – the page is showing a new embedded Flash video, hosted on Brightcove. I’ve taken a screenshot just in case…

        Share
      2. I see the video now, but the hack itself is still gone. Did YouTube cite which part of TOS it violated? Or was it filed under “encouraging illegal activity?”

        Share
  12. This is a sad attempt by Verifone to grab some market share. A person would have to convince me to hand over my card for this exploit to work. What is he selling? Where is he taking my card? To use this exploit I would have to be convinced to buy something and then I might have cash. How exactly would someone use this? It’s sucky that Verifone got caught out being dbags. I am a happy user of Square and their service has been a true blessing to us small businesses that can’t get expensive merchant accounts. Verifone,Intuit and PayPal are out of gas.

    Share
  13. I admire Square for bringing a level of innovation to the payment industry. Its clearly needed.

    That said, there are right ways, and those that are tainted.

    Lets acknowledge the following:
    1. that mag stripe security is a joke.
    2. cell phone security elusive.
    3. Payments are an intimate transaction between a buyer, and in theory, a trusted seller (merchant)
    4. With new innovation, comes new complexities and new responsibilities.

    So what does this mean to Square?

    Square cannot do anything about point 1.
    Square seems to have complete dis-regard for merchant qualification. Thus, the message, trust no-one.
    Square has a responsibility to encrypt the transaction path – anyone who thinks that is not the case is frankly ill-informed.
    Square needs to be PCI compliant…

    For good or bad, new innovators in the payment space need to do better – on several fronts – than the legacy solutions – that is the responsibility of an innovator. Today, Square is doing less, not more. That is not good.

    I don’t agree with the tactics of VeriFone.

    My bet, is either VISA or MasterCard, or both, yank their support for Square until they beef up the system. If they don’t, its only because the business risk based on the transaction volume is a rounding error. The problem of course, is that it sets a precedent that over time will become a train wreck.

    What is interesting (to me, at least), is that Chase seems so silent here…

    Share
    1. Bob,

      Did you read that Square is PCI Level 1 compliant? Also, have you read the actual PCI requirements documentation? I have actually implemented a solution based on a USB keyboard+reader combo connected to a PC, with custom software reading the bare magstripe data (it comes in as keyboard input), and I can assure you we met all PCI requirements. There is NO mandatory requirement to encrypt the data as it travels from the card reader to your application, only in how you handle the data itself. You could place a chip on the reader that encrypts data as it comes off the magnetic head… but what about the trip from the magnetic head to the encryption chip? You can just as well intercept the data there and send it elsewhere.

      There is simply no way to guarantee 100% safe transmission of the magstripe data – criminals have even placed extra read heads in ATMs, complete with cameras to capture the PIN as it is typed by the user.

      Share

Comments have been disabled for this post