Verifone Builds Square Fraud App in 1 hour

I took a look at my blog stats today… and they went through the roof.

Verifone’s CEO (Doug Bergeron) published an open letter to the industry on Square’s flaw. The Square doggle is not PCI compliant (see my blog from last year). Verifone is spot on… they built this skimming application in ONE HOUR.

YouTube Video just pulled.. . you can still view at http://www.sq-skim.com/

Chase Paymenttech is Square’s acquirer, and I spoke to them specifically about the Square risks last year. This is an industry issue.. as stolen cards and fraud generate both issuer losses (card present transaction) and a tremendous hassle for customers. I don’t understand why Chase supported this thing… Was told last week that Square’s fraud is off the charts. As I said back in 16 month ago in January 2010

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

Update Thurs Mar 10

Networks are dependent upon everyone following the same rules. Rules are what make networks work, and are essential in “trusting” the transactions coming in. PCI rules were agreed to by all.. Square’s reader does not comply, nor does its iPhone app.  That said we have a very mixed bag of incentives within the current card networks. Banks and the networks want Square to succeed, as it will drive more transaction volume AND drive card use further down market with small merchants… see Visa’s blog

http://blog.visa.com/2011/02/14/emerging-payment-types-new-opportunities/

Bank margin is driven by the ability to manage risk. This is the nature of banking. Within credit card, Big banks like Chase have tremendous experience in fraud and risk.. they the seek both higher margin and volume.  Chase is comfortable with the risk it is enabling with square as both issuer and acquirer. However, their acquisition relationship with Square (through PaymentTech) enables fraud to enter the network, and other banks may have not updated their authorization rules to accomodate. For Example, Bank of America certainly wants increase transaction volume .. but is it willing to pay the price of  BOTH fraud loss AND of encouraging a change in customer behavior (give their cards to anyone with an iPhone and card reader)?

From my background at 41st Parameter, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. This will be an active discussion for them today. Bank decisions are caught up in the business dilemea of how to respond to Durbin, as well as their own mobile strategies and EMV perspective. Fraud usually develops once critical mass is reached, as fraudsters don’t want to waste their own resources developing a compromise unless there is volume.  My view is that Square’s reader and iPhone application are clearly not compliant with PCI rules and that Visa and Mastercard must shut them down. They have no choice.

Perhaps a story is in order to talk about potential impact. Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars.. and claim that we are responsible for their fraud (they have a decent case).  Verifone’s 1 hour fraud app (www.sq-skim.com) is not a technology issue as much as a behavior one. A good crook would probably spend a few days developing an iPhone app that asked for your PIN…. and took a picture of the back of your card w/ CVV, I noticed in Square’s response that they also ask customers for phone number and e-mail address (normally). This data is beyond the wildest dreams of fraud organizations.  I can just imagine a fraud ring setting up hot dog or ice cream stands that only take cards.. .and sell the ice cream for $.50… they would never even use square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.

As a side note Square is not winning against Verifone. Square has only 5k-10k active merchants (see blog) and $200k in revenue per MONTH… so lets stop this thing before it gets viral.

2 thoughts on “Verifone Builds Square Fraud App in 1 hour

  1. Like you I wrote about this very issue months ago.

    Bottom line: Anyone who hands over the CC/DC card to someone wielding a card skimmer with a cell phone is nuts…

Comments are closed.