VeriFone, a huge provider of credit card processing systems that’s been around since time immemorial, has taken a huge swipe at upstart Square today, branding its free, headphone jack-based credit card readers “skimming devices” and demanding their immediate removal from the market. Crazy, right?
Let me explain how easy it is to exploit the vulnerability.
…someone could write an application that captures input from the Square mag stripe reader and then stores that card data, perhaps sending it to a third-party. This could provide low-cost skimming for the masses.”
A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.
VeriFone’s CEO has thrown up a YouTube video talking about the exploit its thrown together, and it’s more of a social engineering hack than a technical one: a bad guy makes a fake Square app for his phone, plugs in the reader, and steals your unencrypted credit card details without running a “real” payment through Square’s system. They’re really going big with this, too… not only is VeriFone’s sample app available for download, but they’ve sent notices to Visa, MasterCard, American Express, and JP Morgan Chase, which handles Square’s processing. Sounds like a possible problem, sure — but when the “exploit” is being announced in such grand fashion by a company that’s most threatened by Square’s business model, you can’t help but feel a little ugh about it.
Related Posts: On this day...
- Lively and insightful technical history of the Internet - 2011
- Samsung 55" 1080p LED LCD HDTV for $1600 shipped - 2010
- RSA encryption has not been broken - 2010
- Newegg terminates supplier relationship over counterfeit Core i7 CPUs - 2010
- What is PIFTS.exe? - 2009
- Firefox Updates to 3.0.7 - 2009
- 24 Solid State Drives in a RAID array - 2009
- Society of Automotive Engineers kills DRM on its journal following MIT boycott - 2008