Verifone: Steal This Card Data

In an ironic move, payment security vendor VeriFone on Wednesday (March 9) posted a video showing how to turn a mobile payment device into an illegal skimming unit. Not only did it post a video depicting this technique, VeriFone also posted a skimming application it wrote and encouraged consumers to download it.

VeriFone did this all to attack a much smaller rival called Square, which it repeatedly identified by name. The ironies continue. VeriFone posted a special page for this content, including a domain name referencing its rival, Square: A key part of that page was a YouTube icon that would play the video. But YouTube quickly took down the video, breaking the link.

The video itself encouraged people to grab a copy of VeriFone's application, which is designed to turn Square's dongle into an unencrypted skimming device. VeriFone CEO Douglas Bergeron narrates the video and says the site is "where you can download the sample skimming application and see for yourself." And yet, no such link exists on the page. The link was removed, just as the YouTube video was.

Late on Wednesday, VeriFone spokesman Peter Bartolik confirmed that the file had been removed. "The app has been taken down and won't be restored." Oddly, the reference on the page that the app can still be downloaded remains, albeit with no link, as of 9:30 AM Thursday (March 10).

Bartolik offered an explanation for the app's removal: "It became evident that some observers were coming to the conclusion that VeriFone had made available an actual skimming app, which was not the case. The app we made publicly available was a demonstration app that showed an ability to read data from a Square device, but did not actually display or capture sensitive card data. However, in order to curtail further confusion, we have removed the demo app. The video is self explanatory."

The only concern here is the point that "some observers were coming to the conclusion that VeriFone had made available an actual skimming app." From their statement, it’s easy to see where that impression came from.

The statement, on VeriFone’s Web page, attributed to Bergeron, said: "In less than an hour, any reasonably skilled programmer can write an application that will 'skim'—or steal—a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this."

That’s pretty clearly stating that the application being referenced was skimming numbers. Bergeron’s statement later says, “See for yourself by downloading the sample skimming application.” Also, how could an application show “an ability to read data from a Square device” without actually doing it? The video showed the app doing its work—which is a demonstration of the app—but by also offering to download the actual "sample skimming application," it’s hard to envision any other reasonable interpretation.The essence of VeriFone's attack on Square is that the Square device, on its own, offers no hardware encryption.

"Square disregards the core issue of encryption and acknowledges their devices have no layer of security to protect mag-stripe data on consumer credit cards. They are deflecting responsibility and are solely relying on card issuers to protect consumers," said Paul Rasori, Senior Vice President, Global Marketing, VeriFone, according to an E-mailed statement VeriFone sent.

Consultant Dan Stiel posted one of many reactions to VeriFone's move. "Verifone failed to mention in their rhetoric that Square happens to be out-selling Verifone several-fold as their biggest competitor in mobile payments."

When VeriFone dismissed Stiel's comment ("Well, they’re not a public company, but I doubt they’re coming close to $1 billion in annual revenue. That statement was incredulous," E-mailed VeriFone's Bartolik), Stiel clarified that he was referring to the number of mobile card readers that Square has distributed for free, so no revenue is involved.

Stiel said that the number of mobile card readers that Square is distributing is "many times greater than the number of mobile phone readers that VeriFone has distributed," adding that he's seen figures of 40,000-50,000. "My clients include some very large ISOs that are telling me that they are not selling any of the VeriFone mobile card readers," he said.

One of the problems with downloadable apps—especially free ones—is accurately tracking the figures. Not only is it difficult to keep reliable data, but the numbers can change very quickly. A quick search, for example, turned up an Android-only version of the Square mobile payment software that apparently had, as of the morning of March 10, "more than 250,000" downloads. If the Android version alone was more than 250,000, it's likely that the total of downloads (adding in downloads for the iPhone and iPad) is much higher.

When we asked VeriFone for their comparable figures, Bartolik said, "We haven’t disclosed that number. All our sales go thru channel partners. But they’re all actively used, not sure Square can say the same."

Stiel also addressed the encryption concerns.Stiel also addressed the encryption concerns. "I agree Square could and should improve the security of the card readers by injecting encryption keys into the readers. However, the technology and 'parts' that hackers need to skim cards is far more easily available from any Radio Shack or Fry’s Electronics in far larger quantities than will ever be available from Square" and he added "After all, fraudsters could as easily clone a look-a-like Verifone mobile card reader as they could write a bogus app for their iPhone."

Square CEO Jack Dorsey issued a brief statement on Square's site reacting to VeriFone's efforts. "Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card."

Dorsey also alluded to the fact that the weakness in question has to start with a customer handing a payment card to the thief.

"Any technology—an encrypted card reader, phone camera, or plain old pen and paper—can be used to 'skim' or copy numbers from a credit card," Dorsey said. "The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to—no technology required. If you provide your credit card to someone who intends to steal from you, they already have everything they need: the information on the front of your card."

VeriFone seems to have gone out of its way to try and provoke Square. In the video, the narration contrasts Square with "VeriFone and other reputable vendors." VeriFone's Web site has a permanent column labeled: "Square's Ongoing Security Challenges."

VeriFone's Web page promised that, on March 9, it would turn over its application to various payment players. "Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express and JP Morgan Chase (Square's credit card processor), and we invite their comments," Bergeron said.

What makes that move interesting is Chase. Had VeriFone left it at the four largest card brands, company officials could have argued (whether it would be with a straight face or not is another question) that this was an honorable altruistic move to help the security community. But by publicly including Square's processor, it makes it almost impossible to paint as anything other than a vindictive move against a much smaller competitor.

VeriFone's campaign is especially odd because, though it's apparently aimed at consumers, there's probably not one consumer in 1,000 who would have any clue what VeriFone is talking about. Consumers don't know about PCI or encryption. Consumers assume that retailers (and anyone else) they hand a payment card to has full access to the data on it and will keep that data as long as they like.

This is not to suggest that Square hasn't had its own legal issues.

But card skimming has been easy and cheap for years. Wireless card readers cost less than the iPhone or iPad that a Square dongle plugs into, and one reputable magazine published an article a few years ago detailing how to build a magstripe reader for $40. Similar readers have been sold for other handheld devices for almost a decade.

It's hard to envision the significance of it being easy to turn a mobile card swiping dongle into a card skimmer. First, it's not that hard to do. Secondly, it's only an issue if the thief already has access to the consumer's credit card. And third, given the low costs of skimming for years, it seems unlikely that there are lots of thieves out there, who were awaiting an even cheaper skimming method. Skimmers have always been quite low cost.