AAPL Stock: 118.3 ( + 0.49 )

Printed from

VeriFone tries to spook users from Square with exploit demo

updated 01:05 pm EST, Wed March 9, 2011

VeriFone scares users from Square with skim hack

VeriFone attempted a classic "fear, uncertainty, and doubt" (FUD) campaign against Square today with a site and a video (below) claiming a major exploit in the mobile payment method. The credit card processing firm claimed that all was needed to "skim" and steal credit card data was a fake app that could use Square data but didn't actually process a payment. Since the hardware didn't encrypt the data, it could be adapted in "minutes" to systematically grab data from unsuspecting buyers, company chief Doug Bergeron claimed.

The company said it had already sent an example of a fake app to American Express, Discover, MasterCard, Visa and Square's main processing bank JP Morgan Chase. It argued the move was just to "invite their comments" but in mentioning Chase made clear it hoped Square would be blocked by all of the services.

Bergeron argued that VeriFone and other "credible providers" should instead be used because of their traditional approaches to security. Using something like Square would be a "catalyst for massive personal and institutional financial loss," he claimed.

While professing to educate customers, VeriFone has a conflict of interest magnified by the size of the campaign and its hopes to have Square blocked. VeriFone both has an incentive to protect its traditional point-of-sale machines as well as to guard its own PAYware mobile hardware and its future NFC-based payment technology. Square's reader add-on as well as the apps for Android and iOS are free, and the only costs incurred are for the transactions themselves.

It also sidesteps the relative difficulty of creating a fake app, since it would need to sideloaded on a jailbroken iPhone, and the common sense that a store hoping to get paid regularly would be unlikely to simply scam users.

by MacNN Staff



  1. hayesk

    Joined: Dec 1969



    Just how is this different that a clerk writing down my CC number from their receipt after I leave or making a skimming machine to look like the standard machines I see in stores?

  1. designr

    Joined: Dec 1969



    VeriFone wrote and is now distributing an app that reads credit cards and then fakes a Square transaction?

    VeriFone is giving away the fake app with which criminals can steal credit card numbers?

    Isn't that illegal?

    How is blocking Square from receiving credit card payments going to stop criminals from using VeriFone's criminal app?

    The executives at VeriFone should be thrown in jail.

  1. MyRightEye

    Joined: Dec 1969


    Wait just a minute...

    I'm a square user, and the company is a bunch of a*******. They shut down their user forums because they didn't want Square users communicating with each other. And they told us that these card readers WERE encrypted. Now we find out they're not!? That's pretty damn serious IMO. I will still use Square for my own customers, as obviously there's no risk there, but this will make me cautious about handing over my card to someone else using Square.

  1. donmontalvo

    Joined: Dec 1969


    comment title

    VeriFone must be losing sleep over the competition, to pull this kind of stunt. Puleeaasssee....

    Don Montalvo, TX

  1. OkieDoc

    Joined: Dec 1969



    All I know is, I was up and running on Square in no time, the app is super easy to use, and I had money in my bank account within 3 days of the first swipe.

    AND now there is no per-swipe fee, and only 2.75% fee.


    P.S. I'd still rather get cash :-D

  1. Tjp

    Joined: Dec 1969


    Square is safer than the waiter

    I had my cc number sent by a waiter to a confederate in Canada who sold it to someone and charged an auto repair on it, about 3 hours after I left the restaurant. It is safer to use square because then you know face to face the possible avenue of the lost CC number. It was pure luck through the fraud department at the CC company that noticed the charges hours apart and in different countries and hundreds of miles apart and called to confirm.

    So write a custom app to get the swiped number (and the nice piece of processing to retrieve it from the analog signal at that) or photograph the swipe and capture the info that way. crooks will take the path of least resistance.

    FUD folks, not to worry. This is an example exploit that has never been found in the wild, created by a competitor for marketing purposes.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented