VeriFone disclosure of 'gaping' flaw in Square's card readers draws flak

VeriFone CEO Doug Bergeron's appears to have touched a nerve with his statement Wednesday that startup Square should recall all the mobile credit card readers it has distributed for free so far because the devices don't support encryption. Several bloggers and Twitter users see the action as a rather cynical attempt by an industry heavyweight to smear an upstart rival.

Square is a mobile payment services company launched by Twitter founder Jack Dorsey and Jim McKelvey in 2009. The company distributes a small, free dongle that people can stick into the headphone jacks of their iPhone, iPad or Android devices and start using instantly to accept credit card payments.

The company's goal is to enable anyone, including street vendors, taxi drivers and even individuals, to accept credit card transactions without any of the usual hassle or cost. Since launching its service last October, Square has signed up over 165,000 accounts and does between $2 million and $10 million in transactions weekly according to Gartner.

Bergeron claims that the lack of hardware level encryption support on Square's card readers makes it trivially easy for someone to use it for card skimming purposes. In an open letter to consumers and in a YouTube video (that now appears to have been removed), Bergeron labeled Square's readers as mobile skimming devices that would fit in someone's pocket and enable cardholder data to be stolen easily.

All that someone would need to do to steal cardholder data is to write a little application, masquerade as a legitimate business or vendor, and get consumers to swipe their cards on the Square reader according to Bergeron.

That might be true and is something that Square needs to address if it wants consumers to really trust their technology. (VeriFone for instance, sells a competing technology that encrypts cardholder data the moment the card is swiped.)

But the fact is that crooked merchants or crooked individuals can do this kind of theft right now and they don't need a Square card reader to do it. A merchant or a cashier that wants to steal card data can have a skimmer attached to their payment terminal or hidden in their desks or even in their pockets. Or they can just simply write the card details down. This sort of theft happens quite frequently in restaurants and other retail establishments, because all sorts of inexpensive card readers are available already.

Maybe VeriFone's argument is that Square's card readers will suddenly inspire a whole new wave of people to get into the exciting world of card skimming because it'll be so easy.

VeriFone made a big deal about the lack of encryption support on Square's card readers. The fact is that most card readers in the U.S don't support encryption, according to Gartner analyst Avivah Litan. "My understanding is the Verifone is saying Square's main security problem is that its hardware is not encrypting the card data when the card is swiped," Litan said. "Well that's the case with most card readers today. That's one of the main business cases for implementing 'end-to-end encryption' which is a good security practice, but one which is not mandated," she said.

What this incident highlights really is the continuing weakness of the payment system in the country. As Litan often points out, the U.S is a laggard when it comes to the adoption of more secure payment card technologies. Card skimming continues to be a major problem in the U.S. largely because most payment cards still use magnetic stripe technology to store cardholder data. Other countries have moved to Chip and PIN technologies which though not bullet proof are at least far more secure.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon