By Patti Murphy
The Takoma Grop
VeriFone Inc.'s chief executive officer raised some serious questions of late about Square Inc.'s miniature card swipe device designed to plug into the Apple Inc. iPhone. In an open letter to the card industry and consumers, VeriFone CEO Douglas G. Bergeron asserted that Square overlooked a "serious security flaw" that puts consumers at risk.
"In less than an hour, any reasonably skilled programmer can write an application that will skim - or steal - a consumer's financial and personal information right off the card using an easily obtained Square card reader," Bergeron wrote. "How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this."
The letter, which was posted on the web along with a video demonstration, asks that "Square do the responsible thing and recall these card skimming devices from the market."
Like that's going to happen. Square has attracted a lot of big-name investors who, according to published reports, have placed bets on Square to the tune of about $200 million. Besides, if the risk posed by Square is, indeed, as serious as Bergeron contends, why tip off fraudsters to yet another option for scamming the card systems?
Card skimming is a serious problem, and it's probably one of the easiest ways to compromise payment systems. But information from the mag stripe on a credit or debit card, in isolation, isn't sufficient to complete fraudulent transactions. That would require card verification value numbers, or in the case of debit cards, PINs.
I know this because my debit card was compromised while I withdrew cash from an ATM not long ago. It happened at an ATM on the outside wall of a bank branch. Apparently, some enterprising crook attached a skimming device to the ATM (in a busy downtown district) one Saturday night and positioned a miniature camera nearby to record customers entering their PINs. The skimming device was gone by the time someone at the bank thought to investigate. I was one of a dozen or more folks whose cards were compromised that evening at that ATM.
Similar scams have been reported recently at gas pumps as well as ATMs in several Southwestern states. In Utah crooks have been capturing PINs with miniature cameras stashed inside empty soda cans and cigarette packs, according to a report in the March 13, 2011, Daily Herald in Provo, Utah.
The U.S. Secret Service estimates that ATM card skimming results in losses (primarily to financial institutions) totaling $1 billion a year.
To put this into perspective, consider that Square, as of early March, was processing $1 million a day in payments initiated through iPhones, iPads and Android mobile devices. That's not a lot of payments. In fact, it represents but a fraction of the estimated $600 billion in annual Visa Inc.- and MasterCard Worldwide-branded credit and debit card payments processed through Square's acquirer, Chase Paymentech Solutions LLC, in 2010, according to the "The State of Acquiring," 2010, GSQ, Vol. 13, No. 4, December 2010.
I'm willing to bet that a large share of those Square payments are taking place in high-tech meccas like Silicon Valley. No one I know personally uses Square. In fact, I'm married to someone who prides himself on having been an early adopter of nearly every high-tech gadget since the Commodore 64 computer (an early "home" computer for which cassette tapes were the storage medium), and Square hasn't even made it onto his radar.
I suspect a lot of other folks were similarly in the dark before VeriFone raised a red flag with its open letter, which included directions for "downloading the sample skimming application and viewing a video of this type of fraud in action." (The video has since been removed.)
Here's something else that doesn't seem to make sense: Square isn't the only such device in the market. ROAM Data Inc., for example, has developed a similar card swipe device and application that's compatible with any mobile phone, not just smart phones. A 2010 recipient of the Electronic Transactions Association's Innovators Award, ROAM developed ROAMpay especially for small to midsize businesses and distributes the device through dozens of ISOs, including Sage Payment Solutions, Total Merchant Services Inc. and North American Bancard.
Yet Bergeron only mentions Square in his letter, contending that the Square card reader doesn't encrypt the information it captures. The response to that letter from Jack Dorsey, founder and CEO of Square, and a co-founder of the social networking phenomenon Twitter, suggested concerns raised by Bergeron were unfounded.
In an open letter posted on the Square website, http://square up.com, Dorsey stated, "Our partner bank, JPMorgan Chase, continually reviews, verifies and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security." Dorsey also pointed out that credit cardholders are well-protected against fraudulent charges under federal law.
There's a message here that appears to have been obscured: products like Square and ROAMpay respond to a market need that has long been ignored by terminal manufacturers and acquirers alike: credit card acceptance by really small businesses.
I'm not talking about the mom-and-pop restaurants that get 10 or 12 card payments a day, but rather those really small businesses that maybe get 10 to 12 card payments a month. Many of these businesses still use old-fashioned "knuckle busters," or worse, like a small-town plumber I once hired, they make their own card imprints the old-fashioned way, with paper and pencil, and later submit the transactions as card-not-present items.
Square and ROAMpay devices respond to changing market dynamics. Research shows that consumers born after 1990 are keen on mobile payments and similar alternatives to traditional credit and debit payments.
Most recently, the Consumer Payments Preferences Study, conducted by Hitachi Consulting and the Bank Administration Institute in 2010, revealed that although only 5 percent of consumers have mobile devices that can be used for payments, 46 percent of those folks are under the age of 35.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next