Competitor Accuses Square of Enabling Criminals to Skim Cards

VeriFone, a big hardware provider for the payment card industry, has launched a head-on attack against Square, a start-up mobile payments company, over allegations that Square’s credit card readers are easily hacked, enabling criminals to steal account information stored in the card’s magnetic stripe.

The Allegation: Square “places consumers in dire risk”

In an open letter, posted on a specially set-up website, VeriFone’s CEO Douglas G. Bergeron alleges that there is a “serious security flaw” in Square’s credit card reader that compromises the security of cards swiped through it. In the words of Bergeron:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

To back their claim, VeriFone have created a video showing exactly how they believe Square’s reader can be used for skimming and will be sending their allegations to Visa, MasterCard, Discover, American Express, and JPMorgan Chase (Square’s processing bank).

What Is Skimming?

Skimming is the illegal copying of the account information stored in the magnetic stripe of a payment card. There are two different ways of doing it: swiping the card directly through a skimming device and placing a skimmer over the slot of an ATM machine. The copied information can then be used to create clones of the skimmed card.

Skimming is a problem. According to Bankrate.com, fraud losses from ATM skimming alone amount to close to $1 billion annually. The average yield from a skimming device placed at an ATM machine is $50,000, according to the American Bankers Association.

While not quite as scalable, the individual skimming of cards, the type Square is alleged to be vulnerable to, is equally damaging to cardholders. So, if real, VeriFone’s concern is legitimate and the vulnerability should be addressed. But the timing of these allegations is raising questions.

Why Is VeriFone Going After Square Now?

The battle for domination of the fledgling direct card acceptance sector of the mobile payments industry is heating up. Square has taken the early lead, with Intuit and VeriFone in hot pursuit.

Several weeks ago VeriFone introduced the PAYware Mobile card encryption sleeve for iPhone that enables users to accept cards. The company said that the information is encrypted right after the swipe making it difficult for criminals to skim it.

Just a couple of weeks later Square upped the ante, by dropping the per-transaction component of the fee it charges its users for each card transaction they accept. The start-up is now processing $1 million a day, according to a tweet posted by CEO Jack Dorsey and is currently signing up 100,000 new users per month.

And now, this allegation.

The Takeaway: Square’s Growth Unlikely to Suffer

It is unclear whether VeriFone’s revelations will have any effect on Square’s growth. After all, even if it is as real as advertised, the vulnerability will affect the cardholders, not Square’s users who will still be attracted by the start- up’s no-monthly-fee pricing. Moreover, cardholders are fully protected from fraudulent transactions, so they have nothing to lose.

The fraud-related liabilities are born by Square and JPMorgan Chase. The latter can terminate the start-up’s processing agreement, if it deems the associated risks too high. Yet, the more likely scenario is that Square will bolster the security of its service and keep on growing.

Image credit: Finbotclub.blogspot.com.