VeriFone, a payment processor that makes those credit card readers you see in virtually every store (the big gray ones with a number pad), has launched a smear campaign against my favorite payment processor, Square.
Here's the gist:
Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.
In less than an hour, any reasonably skilled programmer can write an application that will "skim" – or steal – a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you've got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It's shockingly simple.
You know what else is shockingly simple? Someone taking a picture of both sides of your credit card. Or writing down your name, card number, security code, and expiration date.
The key is the word criminal. If a nefarious person wants your credit card info, and they have access to the actual card, they're going to get it. And it is a lot easier to take pictures than code an app.
The moral of the story is "don't give your credit card to someone you don't trust."
Lastly, to cross the boundary from being a jerk to being a troll, VeriFone says:
Don't take our word for it. See for yourself by downloading the sample skimming application and viewing a video of this type of fraud in action.
Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square's credit card processor), and we invite their comments.
So not only is VeriFone handing this app they concocted to Square's business associates, they release it out there for anyone — including criminals — to download and use. I guess criminals don't have to devote an hour to writing an app, because VeriFone did it for them.
Here's my take on this whole thing: VeriFone is spreading a metric ton of FUD, because they are scared of Square. See, Square's reader is free, whereas VeriFone's PAYware Mobile requires a contract, or costs $149 without contract. Square's reader fits in the coin pocket of my jeans. PAYware Mobile is anything but comfortably pocketable. Also, VeriFone requires a merchant account, Square doesn't.
What VeriFone is really scared of is people like you and me being able to accept card payments on the cheap at our garage sales, then telling our friends and family who own businesses how they could be saving money. See, Square went after VeriFone's lunch (and they're eating it). So now VeriFone is playing dirty.
Do yourself a favor and go sign up for Square.
From John Gruber's take on this farce:
When you swipe a U.S. credit card, the magnetic strip only contains the information printed on the card itself: the card number, the expiration date, your name, etc. Nothing can be “stolen” using Square’s card readers that cannot be stolen by simply looking at the card with your eyes or a camera. Nothing.
Another from Craig Hockenberry on Twitter:
You'd think the CEO of a card security company would know this basic fact: