By John Gruber
Build web apps, iOS apps, and workflows with Retool.
VeriFone, a large payment processing corporation, has launched a full-on hit job against Square:
Today is a wake-up call to consumers and the payments industry. Last year, a start-up named Square introduced a credit card reader for smartphones with the goal of making it very easy for anyone to accept credit cards through a mobile device. Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.
In less than an hour, any reasonably skilled programmer can write an application that will “skim” — or steal — a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.
This is pure, unadulterated FUD. When you swipe a U.S. credit card, the magnetic strip only contains the information printed on the card itself: the card number, the expiration date, your name, etc. Nothing can be “stolen” using Square’s card readers that cannot be stolen by simply looking at the card with your eyes or a camera. Nothing.
Update: The magnetic strip contains a CVV1 number that isn’t printed on the card (it’s the CVV2 number that’s printed, for verifying online purchases), but still, the overall point stands: VeriFone’s attack against Square is FUD.
★ Wednesday, 9 March 2011