updated 01:05 pm EST, Wed March 9, 2011
VeriFone scares users from Square with skim hack
VeriFone attempted a classic "fear, uncertainty, and doubt" (FUD) campaign against Square today with a site and a video (below) claiming a major exploit in the mobile payment method. The credit card processing firm claimed that all was needed to "skim" and steal credit card data was a fake app that could use Square data but didn't actually process a payment. Since the hardware didn't encrypt the data, it could be adapted in "minutes" to systematically grab data from unsuspecting buyers, company chief Doug Bergeron claimed.
The company said it had already sent an example of a fake app to American Express, Discover, MasterCard, Visa and Square's main processing bank JP Morgan Chase. It argued the move was just to "invite their comments" but in mentioning Chase made clear it hoped Square would be blocked by all of the services.
Bergeron argued that VeriFone and other "credible providers" should instead be used because of their traditional approaches to security. Using something like Square would be a "catalyst for massive personal and institutional financial loss," he claimed.
While professing to educate customers, VeriFone has a conflict of interest magnified by the size of the campaign and its hopes to have Square blocked. VeriFone both has an incentive to protect its traditional point-of-sale machines as well as to guard its own PAYware mobile hardware and its future NFC-based payment technology. Square's reader add-on as well as the apps for Android and iOS are free, and the only costs incurred are for the transactions themselves.
It also sidesteps the relative difficulty of creating a fake app, since it would need to sideloaded on a jailbroken iPhone, and the common sense that a store hoping to get paid regularly would be unlikely to simply scam users.