Square payment solution vulnerabilities

Markiyan Malko |

March 9, 2011

Some big news came out today from Verifone in regards to the Square Up payment solution. Verifone was able to successfully write a fake Square application that functions and looks like the real one but instead uses the Square audio card reader to steal card track data which of course is a huge vulnerability and can be used to clone new cards.

Unlike mobile card readers (like ours) that encrypt the track data right in the read head and before it's passed to the application, Square chose to use the standard unsecure reader to cut costs and simplify roll out. To be fair, many POS applications that are in the field today are using these old readers but the bigger issue here is the never before seen access that Square is giving non-businesses to this technology. It is a huge difference between a store front merchant that has to have an established and reputable business to use a standard card reader. It's a different issue when any one with a social security number can log on, order the Square reader and then go to the flee market and start swiping cards selling anything they want.

Merchant Warehouse has been a pioneer in advocating secure, encrypted card readers and our MerchantWARE Payment Gateway has been supporting this technology for 3 years. It is important for all payment solutions to research and implement this technology but it is imperative that mobile applications do so considering the wide range of vulnerabilities and gray areas that exist in that space.

Here are Verifone's findings.