March 2011

Verifone Attacks Square

Verifone Attacks Square

In an open letter addressed to the online payments industry and consumers, Verifone CEO Douglas G. Bergeron directly attacked the Square founders for introducing a magnetic credit card reader for smartphones that is incapable of encrypting consumers' data at the point of being transferred to a host Android or iOS device. He argued all Square card readers should immediately be recalled from the market. The company is also in the process of handing over its demonstration application that utilises the Square device to capture enough data from major payments card issuers such as Visa, MasterCard, American Express and Square's partner bank JPMorgan Chase to produce clone cards.

Verifone followed up the letter with a media campaign including an advertisement on Facebook that reads : "Be Secure. Not Square. Trade in your Square credit card reader for a free, SECURE device from VeriFone. Free Trade -in offer!" The ad has gathered a good amount of anti -Verifone response on Twitter (with tweets by co -founded of Square - Jack Dorsey).

NFC World Congress 2011

Square is a small, magnetic credit card reader that works with iPads, iPhones and Android devices. The device is plugged into the headphone socket of an iPhone or iPad. When a credit/debit card is swiped by the reader, a signal is sent through the headphone/microphone socket. Square's application software interprets the signal, and then sends transaction data using either a Wi-Fi or a 3G internet connection to back -end servers, which in turn communicate with the payment networks to complete the financial transaction.

Square offers receipts displaying the merchant's name who swiped the card, a map of the location where the transaction took place, and an itemised description of what was purchased. Customers can save their receipts from Square merchants in their email archives.

On the other hand Verifone's PAYware Mobile device works only with the Apple iPhone (3GS, and 3G ). The PAYware Mobile is bigger than the Square card reader. Every financial transaction can be tracked on PAYware Mobile through the single PAYware Mobile Gateway. In case the device is lost or stolen, customer can deactivate the Mobile via the Gateway. PAYware Mobile emails transaction receipts to customers, and a transaction record is made accessible in the application and PAYware portal, which can be easily reprinted.

Key Points Table :

Square Verifone
Has a simple pricing structure, and charges a flat rate of 2.75 % on every monthly transaction Has a complex fee structure with interchange, assessment, processor mark-up fees and a monthly standard charge. PAYware Mobile only starts to get competitive when the average transaction is over $30 and the merchants turn -over is high (see: for an interactive comparison tool.
Works with the iPhone, iPad and Android devices Works only with the Apple iPhone
Small Square dongle attached to headphone/microphone Socket Verifone shell which encapsulates the phone, using the dock connector.

The Accusation against Square :

Douglas G. Bergeron wrote : "In less than an hour, any reasonably skilled programmer can write an application that will "skim" - or steal - a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know ? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this".

All you need is a Square dongle that is available for free and create a fake Square application on your smartphone. Then, insert the dongle into the audio jack of the smartphone or iPad, and that how so simply you get a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card.

VeriFone believes the culprit (of course Square's owners) have build in a "poorly constructed" credit card reader that has no ability to encrypt a customer's personal data.

Verifone's CEO fears Square's credit card reader will give cyber criminals enough room to turn the reader into a skimming device, thereby leading to large-scale cloning of consumer credit cards around the world.

Verifone Attacks Square

Figure 1: Square Reader

Verifone Attacks Square

Figure 2: Verifone PAYware Mobile

In response to Verifone's accusation of the magnetic credit card reader posing serious "security flaws", Square CEO Dorsey published his own open letter "on credit card security and Square" on 9 March 2011 where he argued : "Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card. Any technology - an encrypted card reader, phone camera, or plain old pen and paper - can be used to "skim" or copy numbers from a credit card. If you provide your credit card to someone who intends to steal from you, they already have everything they need : the information on the front of your card".

According to Jack, anybody and at anytime can forge a credit card. For instance, a person can take photos of your credit card or simply write down the card number when you are busy enjoying a drink or chatting with your friend.

On March 9, 2011, Greg Kumparak (the editor of calls Verifone CEO's open letter a "FUD" - Fear, Uncertainty, Doubt. Greg believes the problem lies with the credit card system itself, which is working more on trust rather than on heavily built security measures.

Over the years, experts have shown how easily encoding in magstripe cards can be copied. Fraudsters swipe the card through a second magnetic-stripe whilst your card has been taken out of sight - in restaurants for instance.

According to Elvira Swanson, a spokesperson for Visa : "a magstripe card contains the card holder's name, a 16-digit credit card number, an expiration date and a credit verification value (CVV) - a three or four-digit number used in transactions in which the card is not present and the signature cannot be verified (mainly, online purchases)".

To prevent future misuse of magstrip cards, The European Payments Council passed a resolution on 31 January 2011. The Council spoke clearly on limited use of swipe cards, permitting the banks "to refuse magnetic stripe transactions if they so wish". [Source: European Payments Council - Doc EPC424-10]

Suparna Sen, Smartcard & Identity News


08/04/2020 Headlines

Police Seize $15K Crypto Thief After He Mistakenly Disclosed Identity

Connecticut police caught a man who had stolen over $15,000 worth of digital currency in a mobile phone theft after he mistakenly sent an apology email to a det.....Read More

Report Exposes Lack of Sufficient Data Security Amongst Employees

The Insider Data Breach Survey 2019 found that 95% of IT leaders acknowledged that insider threats were a serious concern within their business while 55% of emp.....Read More

Data of 90K Mastercard Priceless Specials Members Shared Online

A database containing sensitive information of about 90,000 German Mastercard "Priceless Specials" loyalty program members shared online following a breach disc.....Read More

Phishing Targeting Executives Now the Number One Cause of Cyber Security Insurance Claims

Spear-phishing has overtaken ransomware as the number one driver of cyber security insurance claims, according to AIG.

Phishing, also known as business e.....Read More

Could Your Kid Be The Next GBP 20 Million Cybersecurity Superhero?

Back in 2017, the U.K. government issued a tender to run a GBP 20 million Cyber Schools Programme as part of the National Cyber Security Strategy 2016-2021 crea.....Read More

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication