I noticed this morning on Engadget (Thanks @PaulOBrien) that Square is coming under fire from Verifone for their mobile payment solution and card reader. For those who don't know about Square, they're a startup that offers mobile payment processing over cell phones using a card reader that plugs into a smart phone's headphone jack and talks to a payment processing application being run. What Verifone appears to be upset about is that the data is not encrypted between the card reader, and, the payment processing application itself, meaning two things:
- It's possible for a background application to copy data in transit between Square's card reader and Square's official app
- It's possible to use the card reader with a non-official Square application
Lets take a look at the official claim and see what Verifone has to say about it...
In the either case, an application can tap into the credit card data stream between the dongle and Square's application, and a copy of all your card's data can be stored when you swipe your card to make a purchase. That data can be used maliciously and fraudulently after the fact. Your charge goes through for your purchase (or not) at the time, and you are none the wiser. How is this any different from an employee at Target side-loading an application on the register, or your bank ATM being hijacked? Square's lack of encryption does make it possible that a rogue malicious application could be written that emails or SMSes your credit card data to somewhere, whenever a credit card is processed. Imagine if that worm was installed on a popular vendor's smartphone with out the vendor even knowing? The bottom line is this: Is Square doing anything wrong? No. But are they doing anything right? The answer again, at least in my opinion, is also no.