VeriFone Seeks Recall of Square Credit Card Readers

In a highly unusual move, electronic payment vendor VeriFone Wednesday said it found a 'gaping' security hole in a free plug-in mobile credit card reader from Square, a startup launched by Twitter founder Jack Dorsey.

In an open letter to 'industry and consumers,' VeriFone CEO Doug Bergeron called on Square to recall the devices because they pose a serious security threat to consumers.

Square, cofounded by Dorsey and Jim McKelvey in late 2009, offers a free device that can be plugged into the headphone jack of an iPhone, iPad or Android phone to instantly covert the device into a credit card reader.

Bergeron said Square's card readers don't encrypt cardholder data as a payment card is swiped through the machine. The vulnerability would allow criminals to write and use applications that can download credit card data to a mobile phone.

In a YouTube video , Bergeron said it took less than an hour for VeriFone personnel to write an application that could be used skim or steal unencrypted cardholder data held on a Square machine.

VeriFone has posted a sample skimming application for download by anyone who wants to verify how easy it would be to steal card data from a Square card reader. Bergeron said that VeriFone send a similar app to Visa, MasterCard, American Express and the other payment card companies.

"If the industry allows Square and others to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure," Bergeron said.

Square did not respond to a request for comment on VeriFone's charges.

Square touts its card readers as devices that can easily be used by taxi drivers, seasonal market and street vendors to accept credit card payments. "You can even have your friend that owes you $20 pay you with their card since their wallet always seems to be empty when you remind them," the company says in a note on its site.

Square currently accepts U.S.-issued MasterCard, Visa, American Express, and Discover cards and charges a flat 2.75% for all swiped transactions. Anyone can register for the service by simply providing Square a physical address, a social security number and a U.S. bank account number.

Gartner analyst Avivah Litan said Square currently processes card transactions valued at between $2 million and $10 million a week. The company has set a goal of processing $1 billion in card transactions in 2011, Litan said.

The Square service was officially launched in October, 2010, and claimed some 165,000 active accounts as of January, Litan said.

Paul Rasori, senior vice president of global marketing at VeriSign, today said the company decided to makes its claims public because the number of free Square card readers in use continues to grow.

VeriFone sells a similar device and fears consumers will abandon all such technology due to potential security problems, he said. "They have been sending out these card skimmers to anyone who asks for them," Rasori said. "They have created a huge problem. We felt compelled to nip it in the bud."

Rasori said that VeriFone's mobile card reader encrypts card holder data the moment a card is swiped, keeping it safe from malicious applications created to steal card data.

Rasori said that VeriFone did not formally notify Square about its security concerns prior to going public with them today. He contended that Square has known about this issue for some time.

Litan and others, though. faulted VeriFone's approach and said it was unusual for a technology vendor to disclose a security vulnerability publicly before give the other a chance to respond.

"We don't see this very often. "You can't help but wonder if this is all being driven by competitive worries," she said. "Square is a very unique, payment system and credit card brands are worried about all this innovation" and the threat it poses to traditional payment systems, she said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Security Watch Newsletter

Comments