The controversy over VeriFone’s attempt to call out Square is about to be reignited. To recap: Earlier this month VeriFone identified a potential vulnerability with rival Square’s mobile payment system and card reader and released to the public a demo app for the iPhone that showed how the Square system could be used to steal a user’s personal information. VeriFone claimed at the time that the app couldn’t actually skim credit cards — saying it was meant only as a demonstration — and eventually removed the download link. New evidence, however, shows that the app does skim and store credit card data, and makes it easily accessible to users.
Justin W. Clarke, a San Francisco-based independent security consultant, was suspicious of VeriFone’s claim that the app couldn’t be used to actually skim credit cards, and decided to test that assumption by installing and using the demo app released by the company on his own iPad, using his own Square reader.
He discovered that while the app doesn’t display info itself regarding the details of the credit cards swiped while in use, the app does log all the information, including the credit card number, expiration date, and the magnetic stripe’s Track 2 data in its entirety. That information is stored in the iOS device’s console, where it can be retrieved by connecting the device to a Mac via USB and accessing it with Apple’s Xcode developer tool (which is now available to all in the Mac App Store for $4.99), or using the free iPhone Configuration Utility, also an official Apple program which provides access to an iOS device’s console. And even though VeriFone removed download links for the app from its site, it’s not difficult to find copies mirrored at other hosting sites around the web.
So what does this mean for VeriFone? According to Clarke, it’s possible that the app violates the payment card industry standard, which requires the following of payment apps:
1.1.1 After authorization, do not store the full contents of any track from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.
Of course, the app in question is just a demo, so it’s likely exempt from this requirement, but it does raise anew the possibility that Evan Brown of Internet Cases brought up in our earlier piece – that one could “consider whether a victim of theft committed by this tool could sue VeriFone for what one might call ‘contributory’ theft.”
A VeriFone spokesperson reiterated that “the app contains no source code,” but wasn’t able to comment at the time of posting regarding Clarke’s ability to access info gathered by the app. I’ll update the post with further comment as it arrives.
Meanwhile, Square has denied all along the seriousness of VeriFone’s claims regarding its security measures, arguing that any face-to-face transaction involving credit cards involves just as much risk of theft as VeriFone’s demo app, and it’s true, as Square mentions, that the credit card number and expiration date are easily obtained through other means. But what’s worth noting here is that VeriFone’s claims that its version of the app couldn’t be used for malicious purposes unmodified may be wrong. If so, the reputation that stands to lose the most from its attempt to discredit a rival may be VeriFone’s own.