Verifone, a mobile payments service, has just released an open letter by its CEO Douglas Bergeron claiming they have found a security hole in rival Square’s credit card reader.
Bergeron says his developers were able to write an app that can strip information from credit cards swiped using one of the free readers Square gives customers.
The letter even goes so far as to demand Square recall all its readers until it can come up with an encryption system to protect customer data.
This is the latest shot in the war of mobile payments services. A few weeks ago, Square stopped charging users $0.15 for each transaction.
Here’s an excerpt from the letter that will tell you everything you need to know:
Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.
In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilising an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.
Let me explain how easy it is to exploit the vulnerability.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
There are hundreds of thousands of these insecure devices already floating out there and more are given away for free every day. And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card. Your card data is then instantly and illegally captured in the smartphone, un-encrypted – and voila, you’re a fraud victim.
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
Don’t Miss: Square Drops Its Transaction Fees