| Tuesday May 24th 2016

VeriFone vs Square

VeriFone, a huge provider of credit card processing systems that’s been around since time immemorial, has taken a huge swipe at upstart Square today, branding its free, headphone jack-based credit card readers “skimming devices” and demanding their immediate removal from the market. Crazy, right?VeriFone vs Square

Let me explain how easy it is to exploit the vulnerability.

…someone could write an application that captures input from the Square mag stripe reader and then stores that card data, perhaps sending it to a third-party. This could provide low-cost skimming for the masses.”

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

VeriFone’s CEO has thrown up a YouTube video talking about the exploit its thrown together, and it’s more of a social engineering hack than a technical one: a bad guy makes a fake Square app for his phone, plugs in the reader, and steals your unencrypted credit card details without running a “real” payment through Square’s system. They’re really going big with this, too… not only is VeriFone’s sample app available for download, but they’ve sent notices to Visa, MasterCard, American Express, and JP Morgan Chase, which handles Square’s processing. Sounds like a possible problem, sure — but when the “exploit” is being announced in such grand fashion by a company that’s most threatened by Square’s business model, you can’t help but feel a little ugh about it.


Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.