Comments on: VeriFone Attacks Rival Square With Ethically-Questionable Security Exploit

By: Mike Puchol

Mike Puchol — Thu, 10 Mar 2011 18:21:32 +0000

Bob,

Did you read that Square is PCI Level 1 compliant? Also, have you read the actual PCI requirements documentation? I have actually implemented a solution based on a USB keyboard+reader combo connected to a PC, with custom software reading the bare magstripe data (it comes in as keyboard input), and I can assure you we met all PCI requirements. There is NO mandatory requirement to encrypt the data as it travels from the card reader to your application, only in how you handle the data itself. You could place a chip on the reader that encrypts data as it comes off the magnetic head… but what about the trip from the magnetic head to the encryption chip? You can just as well intercept the data there and send it elsewhere.

There is simply no way to guarantee 100% safe transmission of the magstripe data – criminals have even placed extra read heads in ATMs, complete with cameras to capture the PIN as it is typed by the user.

By: Bob Egan

Bob Egan — Thu, 10 Mar 2011 16:38:15 +0000

I admire Square for bringing a level of innovation to the payment industry. Its clearly needed.

That said, there are right ways, and those that are tainted.

Lets acknowledge the following:
1. that mag stripe security is a joke.
2. cell phone security elusive.
3. Payments are an intimate transaction between a buyer, and in theory, a trusted seller (merchant)
4. With new innovation, comes new complexities and new responsibilities.

So what does this mean to Square?

Square cannot do anything about point 1.
Square seems to have complete dis-regard for merchant qualification. Thus, the message, trust no-one.
Square has a responsibility to encrypt the transaction path – anyone who thinks that is not the case is frankly ill-informed.
Square needs to be PCI compliant…

For good or bad, new innovators in the payment space need to do better – on several fronts – than the legacy solutions – that is the responsibility of an innovator. Today, Square is doing less, not more. That is not good.

I don’t agree with the tactics of VeriFone.

My bet, is either VISA or MasterCard, or both, yank their support for Square until they beef up the system. If they don’t, its only because the business risk based on the transaction volume is a rounding error. The problem of course, is that it sets a precedent that over time will become a train wreck.

What is interesting (to me, at least), is that Chase seems so silent here…

By: Cyndy Aleo

Cyndy Aleo — Wed, 09 Mar 2011 23:38:05 +0000

I see the video now, but the hack itself is still gone. Did YouTube cite which part of TOS it violated? Or was it filed under “encouraging illegal activity?”

By: Levy

Levy — Wed, 09 Mar 2011 23:02:13 +0000

This is a sad attempt by Verifone to grab some market share. A person would have to convince me to hand over my card for this exploit to work. What is he selling? Where is he taking my card? To use this exploit I would have to be convinced to buy something and then I might have cash. How exactly would someone use this? It’s sucky that Verifone got caught out being dbags. I am a happy user of Square and their service has been a true blessing to us small businesses that can’t get expensive merchant accounts. Verifone,Intuit and PayPal are out of gas.

By: Mike Puchol

Mike Puchol — Wed, 09 Mar 2011 22:56:24 +0000

Cyndy, check again – the page is showing a new embedded Flash video, hosted on Brightcove. I’ve taken a screenshot just in case…

By: Cyndy Aleo

Cyndy Aleo — Wed, 09 Mar 2011 22:47:36 +0000

Mike, as of the time of the latest update, the embedded link is gone from the open letter.

By: Mike Puchol

Mike Puchol — Wed, 09 Mar 2011 22:43:35 +0000

No trackbacks? My response to the VeriFone “open letter”:

http://mikepuchol.com/2011/03/09/verifon-and-its-open-letter-against-square/

As for the video, it was removed by YouTube for TOS violations, and VeriFone has uploaded it to ~~Vimeo~~ Brightcove, and updated the embedded link on sq-skim.com. IMHO, very lame…

By: Cyndy Aleo

Cyndy Aleo — Wed, 09 Mar 2011 22:30:28 +0000

Looks like at least someone wants one coded: http://www.freelancer.com/projects/by-tag/verifone-skimmer.html

By: Luiss

Luiss — Wed, 09 Mar 2011 22:28:43 +0000

There is something eerily similar what’s going on in the Middle East and VeriFone attack on square today. Not only does VeriFone not understand the world as it is today with regards to Internet, connectivity and social networks. The Verifone CEO like the dictators in the Middle East, are putting out propaganda and fear in order to get their constituents (merchants) to ignore the realities of the market and keep the status quo (buying their terminals).

This already smells like a tremendous PR fiasco and for sure it puts their CEO in a questionable position of leadership for messing things up twice for the company. VeriFone shareholders should be extremely concerned about the companies disconnect to the realities of the market and the opportunities that are being missed by not having a vision.

By: RandyRPR

RandyRPR — Wed, 09 Mar 2011 22:04:20 +0000

When I read your updated question about whether Square was given any notice by VeriFone, their response seemed evasive. In an article on CW, they did confirm no notice was given as to the intent create a downloadable app or post a now banned video on youtube, apparently they can not even be transparent with the media either.

If possible I will for go using companies the use Veriphone.