Don't Believe The FUD: Square Is Only As Insecure As You Let It Be

Early this morning, VeriFone CEO Doug Bergeron wrote an “open letter” to the financial industry. In it, he decries Square and their little smartphone-credit-card-reader-that-could, calling for its recall. His reasoning? The Square dongle is easily available and it handles data passed between the dongle and whatever device it’s plugged into without encryption (though everything transmitted over the network is heavily encrypted), making it too easy for criminals to “skim” (read: steal) credit card information. They even built a phony Square app to prove it.

Of course, the letter barely (and even then, indirectly) touches on the fact that VeriFone has their own, competing smartphone credit card reading system, giving them a bit more skin in the game than the whole white-knight approach might let on. Toss in the fact that these “flaws” are by no means exclusive to Square, and the whole thing reeks of mudslinging and desperation.

Here’s the thing: every single time you hand over your credit card to someone (be it someone using Square, or any one of the dozens of other credit card input methods) you’re trusting them not to steal it.

  • Hand your credit card to a waiter at a restaurant? 9 times out of 10, they walk off with your card for a few minutes. They’re probably just swiping it through their point of sales machine — but they could just as easily be taking it into a back room and jotting down the details on paper. Security flaw!
  • Oh, and that point of sales machine? It could use an ultra-encrypted mega security reader — but it could just as easily be (and often is) using an ultra simple USB Mag Stripe reader without any sort of encryption whatsoever. All it takes is one rogue employee dumping data into a text file.Security flaw!
  • Order a pizza for delivery, but want to pay with credit card? At the grocery store, but the power is out? Don’t worry! They’ve got a manual credit card machine, which copies everything from your card onto a piece of carbon paper with one quick swipe. Security flaw!
  • Ordering something online that isn’t from a major retailer? Unless you’re a techie, how can you confirm that they’re not just harvesting credit cards? Even if they’ve got the same “We’re secured with 8-billion bit encryption!” graphics you’ve seen around the internet, would even a small chunk of the population know how to verify that they’re more than static graphics? Security flaw!
  • That phony Square app VeriFone built? VeriFone’s own app allows you to punch in credit card numbers manually. An app that looks like VeriFone’s could be built just as easily as an app that resembles Square’s. Security flaw!

See my point? This is a flaw inherent to the entire industry.

Once a consumer realizes a business/individual can take credit card payments and they’ve been convinced to hand over their card, it’s game over. There are a million and one ways to steal that data, from high-tech black market skimming devices to a simple pad of paper. Bad guys will find ways to do bad things — and with just about every business using a different transaction solution, most folks wouldn’t question a thing.

Also, it’s probably worth noting: adding hardware encryption to a device like Square would increase the price of manufacturing dramatically. Increasing the price would inhibit Square’s ability to give ’em away for free, thereby eliminating one of the service’s key selling points. (And even if Square DID do dongle-to-device encryption — what’s to keep baddies from building Square [or VeriFone PayWare, for that matter] hardware lookalikes that don’t?)

The “security flaw” here isn’t in Square, nor is it new. It’s in our credit card system, which is an aging network of semi-secure devices operated by people and businesses we trust on faith — Square just highlights that fact. You can’t build your house out of straw and then be mad at the wind when it blows it down.