In a highly unusual move, electronic payment vendor VeriFone Wednesday said it found a "gaping" security hole in a free plug-in mobile credit card reader from Square, a startup launched by Twitter founder Jack Dorsey.
In an open letter to "industry and consumers," VeriFone CEO Doug Bergeron called on Square to recall the devices because they pose a serious security threat to consumers.
Square, co-founded by Dorsey and Jim McKelvey in late 2009, offers a free device that can be plugged into the headphone jack of an iPhone, iPad or Android phone to instantly convert the device into a credit card reader.
Bergeron said Square's card readers don't encrypt cardholder data as a payment card is swiped through the device. The vulnerability would allow criminals to write and use applications that can download credit card data to a mobile phone.
In a YouTube video, Bergeron said it took less than an hour for VeriFone personnel to write an application that could be used skim or steal unencrypted cardholder data as its swiped through a Square card reader.
VeriFone has posted a sample skimming application for download by anyone who wants to verify how easy it would be to steal card data from a Square card reader. Bergeron said that VeriFone sent a similar app to Visa, MasterCard, American Express and the other payment card companies.
"If the industry allows Square and others to short-circuit security best practices, it will seriously jeopardize the integrity and security of the payment infrastructure," Bergeron said.
Square did not respond to a request for comment on VeriFone's charges.
Square touts its card readers as devices that can easily be used by taxi drivers and seasonal market and street vendors to accept credit card payments. "You can even have your friend that owes you $20 pay you with their card, since their wallet always seems to be empty when you remind them," the company says in a note on its site.
Square currently accepts U.S.-issued MasterCard, Visa, American Express, and Discover cards and charges a flat 2.75% for all swiped transactions. Anyone can register for the service by simply providing Square with a physical address, a Social Security number and a U.S. bank account number.
Gartner analyst Avivah Litan said Square currently processes card transactions valued at between $2 million and $10 million each week. The company has set a goal of processing $1 billion in card transactions in 2011, Litan said.
The Square service was officially launched in October 2010 and claimed some 165,000 active accounts as of January, Litan said.
Paul Rasori, senior vice president of global marketing at VeriFone, today said the company decided to make its claims public because the number of free Square card readers in use continues to grow.
VeriFone sells a similar device and fears that consumers will abandon all such technology due to potential security problems, he said. "They have been sending out these card skimmers to anyone who asks for them," Rasori said. "They have created a huge problem. We felt compelled to nip it in the bud."
Rasori said that VeriFone's mobile card reader encrypts cardholder data the moment a card is swiped, keeping it safe from malicious applications created to steal card data.
He said that VeriFone did not formally notify Square about its security concerns prior to going public with them today. He contended that Square has known about this issue for some time.
Litan and others, though, faulted VeriFone's approach and said it was unusual for a technology vendor to disclose a security vulnerability publicly before giving the other a chance to respond.
"We don't see this very often. You can't help but wonder if this is all being driven by competitive worries," she said. "Square is a very unique payment system, and credit card brands are worried about all this innovation" and the threat it poses to traditional payment systems, she added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.