Innovative startup Square continues to make waves with their app and reader combo that enables small-time businesses to access payment with credit cards. Imagine somebody with a camping table and self-made T-Shirts selling these on the street. For example I would have loved a T-Shirt to commemorate 2 weeks of iPad2 queues saying “I queued for iPad 2, but all I got is this lousy T-Shirt”. Without hesitation my Mastercard would have jumped out of my wallet to make love to a Square reader and app.
But then there are the established companies which feel threatened by Square. First and foremost VeriFone, a company that apparently seems to see themselves as the sole owner of the market for processing payment information. This is evidenced by the statements made on their website. Take for example their SEO-friendly site title: “VeriFone Official Site | Secure payment solutions for credit & debit cards, EMV, contactless, & NFC”. They have vested interests in technologies that require you to purchase their products.
Let’s have a closer look what’s behind this rivalry and also investigate if there really is a gaping security hole in Square’s approach as VeriFone claims.
We are especially interested in Square for they made a big bet on the iOS platform and their unique approach with repurposing the iPhone’s audio jack as input for the credit card data. They serve as inspiration for many other startups, the theory being, that if they can succeed in our marketplace then so we can too. Anything that draws more attention to iPhones and iOS should be a good thing for us small players.
But if you get too successful you will attract the attention of your competitors who might not shy away from drastic opinion engineering to have you fall from grace. It all started out by VeriFone making a website sq-skim.com where they have a letter and lots of SEO keywords trying to foster distrust in Square.
VeriFone CEO Douglas G. Bergeron claims to have created an app “in less than an hour” that would decode the scan data from a Square reader plug via the audio jack and extract the relevant credit card information.
When processing credit cards you have two channels where you want to maintain the highest level of security. At the highest level of abstraction you want to convey the users intent and identity to the credit card company so that a payment can be authorized. So in one direction your are dealing with individual customers who are interested in staying the only person who can make payments with their identity. In the other direction you have the credit card company with which you want to be on good standing.
So the technical challenge is how to transmit the user’s payment identity to the credit card company. Clearly it would not be sufficient to just send them an e-mail stating that Oliver Drobnik wants to pay for a T-Shirt. You need to somehow transfer the user’s payment credentials (usually the CC number, expiration date and sometimes als the CVC code) to the provider.
Of the two channels mentioned the customer-facing one is the weakest. Any waiter in a restaurant has an opportunity to note the necessary numbers on a piece of paper after he has disappeared with your card. This is what’s been jargonized as “skimming”. That could either be happening physically like this or even on a server. Every now and then we hear that credit card numbers have been stoled, leaked or otherwise been improperly distributed.
When Square set out to create a solution for the mass market of using iPhones as mobile terminals they were facing the basic question of how to make the process as similar to known payment metaphors as possible. That and not wanting to deal with Apple over licensing the dock connector. Their engineers came up with the ingenious technique of encoding the magnetic strip still present in all credit cards in a way that could be transmitted over the audio jack. And then packaging this into a small white plug that you can cary in your pocket.
I imagine that they must have sort of a PCM encoder on a chip in the reader and then use the audio-capture API of iPhone to get these numbers. If I had to do this then I would have needed substantially more than one hour to work out the encoding. Probably VeriFone has been working on reverse-engineering this for quite some time now. Judging from the effort they are putting into the anti-Square website they probably have a couple of fulltime hackers on staff now doing nothing but dissecting Square elements.
So that’s the first disingenuity of Mr. Bergeron. People reading his statement probably think “oh, just one hour? then it must be really insecure”. Square was announced in early 2010, so VeriFone must have spent more than half a year on this stunt, figuring out the encoding is far from trivial, even if it’s not encrypted.
A Magic Trick
When performing magic tricks with an astonishing outcome you never reveal how much effort went into preparing it. That’s what’s making it magical. How much less of a buzz would have been generated if VeriFone had honestly admitted: “We built the app in one hour after we spent 6 month figuring out how this PCM encoding worked”. Suddenly they go from being a security hero and app wizard to being noobs. Anybody can write an app to decode a PCM stream, given documentation on the encoding and looking up how to do PCM capture in Apple’s docs.
For unknown reasons Square did not opt to add encryption between the reader and the app. This is the major Achilles’ heel, claims VeriFone. Because of this they say that anybody can make apps to quickly skim peoples cards. But this is the second piece of a magic trick, called Misdirection. That’s when the magician directs your attention to something seemingly more interesting while having the real action happen outside of your attention.
Any kind of reader is basically a way to get numbers into the device without having to enter them manually. Even the square app allows for manual input if the magnetic strip fails. That’s not the real weak link and therefore I am calling this misdirection. The real weak link is what happens to your card once it leaves your sight. Because then anybody with criminal intentions can note down the card’s details only to sell it later via a shady newsgroup.
Counter Open Letter
Generally this week spot in the chain of trust is often quoted with the example of the malicious waiter. Also by Jack Dorsey, CEO of Square, in his response to the allegations. In reality a luxury restaurant is about the only place I can imagine where I would give my card out of hand. In all other physical places I would swipe the card myself, exactly for this reason. If I hand out the card then my payment credentials are no longer entirely only under my own control. This is also the reason why we are seeing smaller and smaller payment terminals to bring to the customer as opposed to having these old paper imprinters sitting somewhere at the back of an establishment.
Square HAS a problem, but it is not technical in nature as VeriFone will like us to believe.
The weakest link in the chain of trust remains in the step where you have to get the payment credentials into the Square app. A iPhone repair ship owner in Florida whom I twinterviewed told me that people have absolutely no reservations about swiping their card, probably because we have been conditioned to do so and because it is by far less painful than having to either give up control of our cards or having to enter the card number manually.
What’s really behind the attack
Square’s business model is dependent on being able to establish their solution (app+swiper+online) being seen as just as trusted as any other POS device. So the real nefarious intent of VeriFone is to discredit their way of input.
Theory 1 “Nefarious App”: if I had the scanner plug, I could make an app that would look exactly like the official one. Maybe even seem to do an authorization but then display a failure. Sorry, dear customer, there might be something wrong with Square at the moment. But in reality I would have saved the scanned details. Or maybe even use that to walk around pretending to be collecting donations or selling something inexpensive where I pretend to have gotten payment authorization, but really didn’t. Nothing ever suspicious happend, the customer got to swipe the card himself, it never left his control. Nobody made a photo or note of the details. So how could anybody suspect fraud?
Theory 2 “Hacked Official App or Spyware”: because there is no encryption a skilled hacker could modify the official app to log the PCM stream or even create a background daemon process that would scan audio input in the background without the official app not noticing that it is being spied on.
Theory 3 “Inception Mindfuck”: just as easy as I came up with these two theories I now got you to ponder techniques what other exploits there might be. Even if none of these are easy to pull of or maybe even impossible, there are still doubts that have been implanted into your opinion.
The question is whether encryption would have made any difference. From a security point of view, probably not. But it would have made a major difference by not allowing competitors to abuse it as an alleged security problem.
The big hope for the payment processing industry is taking shape with NFC (near field communication) where you could have your limited information on the owner’s intent to pay over a short distance be communicated wirelessly. VeriFone is heavily investing into this technology even though it has yet to be seen in real life use. If an iOS device, let’s call it iPhone 5, would have an NFC chip, it could receive the payment and provide this info to the Square app instead of the reader.
I suspect that VeriFone’s real goal is to discredit Square just enough to have them gain access to NFC later than VeriFone is able to establish a beachhead. If credit card companies think that Square might have security issues they would probably be hesitant to let them enter this new promising market of frictionless payments. I also suspect that if Square were a publicly traded company then VeriFone would stand to gain from a decreased valuation and make an attempt of a hostile takeover. But they are in private hands and probably will be for quite some time.
So what do we entrepreneurs learn from this debakel?
If you’re successful envy invariantly follows. It’s up to you to reduce exposure of your weak spots but you better be prepared when your main competitor declares war on you. As an engineer you might think that an additional security layer might not gain you any additional safety. But costs of having to undo the bad publicity drummed up by your competitor might by far outweigh the engineering cost of securing your interfaces up front. Better safe than sorry.
If anything then we now know that Square is a force to be reckoned with. A light-weight startup that exactly addresses what people want and does so in a way that shakes at the foundations of the established payment aristocracy. We’re keeping our fingers crossed that Square keeps on being so successful, as they are our beacon in dark and rainy startup nights.
How safe is Square? Safe enough in terms of credit card security. But not safe at all from being attacked by their competitors.