March 2011

Verifone Attacks Square

Verifone Attacks Square

In an open letter addressed to the online payments industry and consumers, Verifone CEO Douglas G. Bergeron directly attacked the Square founders for introducing a magnetic credit card reader for smartphones that is incapable of encrypting consumers' data at the point of being transferred to a host Android or iOS device. He argued all Square card readers should immediately be recalled from the market. The company is also in the process of handing over its demonstration application that utilises the Square device to capture enough data from major payments card issuers such as Visa, MasterCard, American Express and Square's partner bank JPMorgan Chase to produce clone cards.

Verifone followed up the letter with a media campaign including an advertisement on Facebook that reads : "Be Secure. Not Square. Trade in your Square credit card reader for a free, SECURE device from VeriFone. Free Trade -in offer!" The ad has gathered a good amount of anti -Verifone response on Twitter (with tweets by co -founded of Square - Jack Dorsey).

NFC World Congress 2011

Square is a small, magnetic credit card reader that works with iPads, iPhones and Android devices. The device is plugged into the headphone socket of an iPhone or iPad. When a credit/debit card is swiped by the reader, a signal is sent through the headphone/microphone socket. Square's application software interprets the signal, and then sends transaction data using either a Wi-Fi or a 3G internet connection to back -end servers, which in turn communicate with the payment networks to complete the financial transaction.

Square offers receipts displaying the merchant's name who swiped the card, a map of the location where the transaction took place, and an itemised description of what was purchased. Customers can save their receipts from Square merchants in their email archives.

On the other hand Verifone's PAYware Mobile device works only with the Apple iPhone (3GS, and 3G ). The PAYware Mobile is bigger than the Square card reader. Every financial transaction can be tracked on PAYware Mobile through the single PAYware Mobile Gateway. In case the device is lost or stolen, customer can deactivate the Mobile via the Gateway. PAYware Mobile emails transaction receipts to customers, and a transaction record is made accessible in the application and PAYware portal, which can be easily reprinted.

Key Points Table :

Square Verifone
Has a simple pricing structure, and charges a flat rate of 2.75 % on every monthly transaction Has a complex fee structure with interchange, assessment, processor mark-up fees and a monthly standard charge. PAYware Mobile only starts to get competitive when the average transaction is over $30 and the merchants turn -over is high (see: for an interactive comparison tool.
Works with the iPhone, iPad and Android devices Works only with the Apple iPhone
Small Square dongle attached to headphone/microphone Socket Verifone shell which encapsulates the phone, using the dock connector.

The Accusation against Square :

Douglas G. Bergeron wrote : "In less than an hour, any reasonably skilled programmer can write an application that will "skim" - or steal - a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know ? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this".

All you need is a Square dongle that is available for free and create a fake Square application on your smartphone. Then, insert the dongle into the audio jack of the smartphone or iPad, and that how so simply you get a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card.

VeriFone believes the culprit (of course Square's owners) have build in a "poorly constructed" credit card reader that has no ability to encrypt a customer's personal data.

Verifone's CEO fears Square's credit card reader will give cyber criminals enough room to turn the reader into a skimming device, thereby leading to large-scale cloning of consumer credit cards around the world.

Verifone Attacks Square

Figure 1: Square Reader

Verifone Attacks Square

Figure 2: Verifone PAYware Mobile

In response to Verifone's accusation of the magnetic credit card reader posing serious "security flaws", Square CEO Dorsey published his own open letter "on credit card security and Square" on 9 March 2011 where he argued : "Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card. Any technology - an encrypted card reader, phone camera, or plain old pen and paper - can be used to "skim" or copy numbers from a credit card. If you provide your credit card to someone who intends to steal from you, they already have everything they need : the information on the front of your card".

According to Jack, anybody and at anytime can forge a credit card. For instance, a person can take photos of your credit card or simply write down the card number when you are busy enjoying a drink or chatting with your friend.

On March 9, 2011, Greg Kumparak (the editor of calls Verifone CEO's open letter a "FUD" - Fear, Uncertainty, Doubt. Greg believes the problem lies with the credit card system itself, which is working more on trust rather than on heavily built security measures.

Over the years, experts have shown how easily encoding in magstripe cards can be copied. Fraudsters swipe the card through a second magnetic-stripe whilst your card has been taken out of sight - in restaurants for instance.

According to Elvira Swanson, a spokesperson for Visa : "a magstripe card contains the card holder's name, a 16-digit credit card number, an expiration date and a credit verification value (CVV) - a three or four-digit number used in transactions in which the card is not present and the signature cannot be verified (mainly, online purchases)".

To prevent future misuse of magstrip cards, The European Payments Council passed a resolution on 31 January 2011. The Council spoke clearly on limited use of swipe cards, permitting the banks "to refuse magnetic stripe transactions if they so wish". [Source: European Payments Council - Doc EPC424-10]

Suparna Sen, Smartcard & Identity News


Unable to open RSS Feed with error SSL certificate problem: certificate has expired, exiting

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication