Square encryption hinders Visa deal
Square is running into some problems with its new investment partner Visa. An executive at the mobile payments company confirmed it is re-working its system to encrypt credit card data on the fly. Square now uses a dongle that plugs into a headphone jack and an iOS application to process credit card transactions. While this system complies with industry regulations, it does not take the extra step to encrypt the credit card data.
Now that Visa has joined Square as a strategic investor, the mobile payments company will be redesigning all its dongle to include this built-in encryption. Square did not comment on the financial impact of this change, but it could be costly. Square gives away the dongles for free and makes its money off a 2.75% per transaction fee. It is not clear how Square intends to absorb this extra cost.
In light of the recent high-profile security breach of the Sony PlayStation network, Square is wise to add this layer of encryption and ease customers fear of having their transaction data inadvertently compromised.
Share
Categories
Square is running into some problems with its new investment partner Visa. An executive at the mobile payments company confirmed it is...
Add a Comment
I'm confused. For those of us who already have a dongle, will we have to get a new one?
May 01 2011 at 2:32 PM Report abuse Permalink rate up rate down ReplyVery misleading headline. Nothing in the article suggests the investment is hindered. Frankly it suggests the investment is subsidizing the change.
To those of you who clearly don't get it the "threat" is that someone will convince you to let them swipe your card and not actually be using the Square app. They will instead use another app to store your data while at the same time giving you a product worth what you think you are paying. Frankly it seems to me like a lot of work and expense to steal CC data.
Assuming there us already a "CPU" on existing dongles (doing work to read card/transmit it to the iPhone over the headphone jack), then adding encryption should be trivial/no cost.
(if existing dongles aren't 'field upgradeable', then there would be cost to swap-out devices)
There is no processing hardware of any kind; the strip is read by a magnetic tape head. The data is sent to the phone as if it were raw audio, to which the Square app "listens", and processes it accordingly, like an old TRS-80 reading a program from cassette tape.
Because of this, as Verifone demonstrated, it's very easy to build a skimmer that looks just like a legitimate card processing app, but just gathers credit card numbers. One could also implement a less-obvious "man-in-the-middle" attack on an unsuspecting device.
This is all about deterrence, but the deterrent does matter. Making it more difficult to execute an attack *does* make it less likely that an attack will take place. There's a lot of naïveté in the comments here regarding the credit card industry, and how protective they are of the layers of security they've built up to reduce fraud as much as possible. They won't willingly introduce a new risk, and they're going to put Square through the paces.
I've been saying the same thing since the Square solution hit the scene, and I've concluded by noting that whichever company assimilates the other's strengths (Square's brilliant payment model or Verifone's hardware robustness and thorough background checks) is going to eat the other for lunch. Right now, it looks like it's gonna be Square.
Dude... Someone will crack the encryption if they want to steal info. This protects no one.
April 29 2011 at 3:45 PM Report abuse Permalink rate up rate down ReplyEncrypting at the dongle does nothing to improve security. Any encryption at the dongle will more than likely be produced via a satic key that all the dongles will share. This type of incryption is cracked regularly and is akin to the type of encryption that DVDs or game consoles use. If you put the key within the hands of end users someone will crack it. Now if they were to use some sort of unique key on each dongle this might be affective in preventing malware on a phone from grabing the credit card info. But if the app on the phone decrypts it you have defeated this purpose as well. All this will do is drive up the cost of the dongle for little to no benefit.
April 29 2011 at 4:53 PM Report abuse Permalink rate up rate down ReplyHinders?! Seems to be the addition of hardware encryption is in response to the Visa investment.
April 29 2011 at 1:47 PM Report abuse Permalink rate up rate down ReplyThis is ridiculous, and the real cost will be to Square's customers. Adding encryption to the dongle will only make it more expensive, which means Square will have to charge more fees or charge for the dongles. Right now they hand them out like candy, which is part of their success.
And what does this move actually protect? Think about it. This isn't solving a problem- nobody is intercepting the card number data between the reader and the phone .5" away. All it will do is make other applications unable to use the Square reader, at least until somebody cracks it and posts the how-to code you can paste into your iOS app. Which will happen very quickly.
This is like adding a magstripe reader to your PC and telling people it's somehow safer than typing the numbers into Amazon.com. At best, it's just security theater. At worst, it's Square wasting money either to appease PHBs or because they've got some really crappy security analysts.
I assume the data is already encrypted from the phone to the Square servers. But why take the extra step to encrypt it from the dongle to the phone? There's nothing extra to hide. If someone can inject a man-in-the-middle attack with, say, a cable between the dongle and phone, they already have access to the card itself, which contains everything the attacker needs in nice raised lettering.
April 29 2011 at 12:47 PM Report abuse Permalink rate up rate down ReplyOh no, PLEASE don't raise the % !!!!! I wouldn't mind the small fee for the reader and I am sure that other users would agree. Let's say a one time charge of $50.00 would be ok with me. The no monthly charges and low transaction % is why there are SO many Square users!
I sure hope that this is not a partnership that will destroy what the Square brand started!
Deals of the Day
more deals- StarCraft II: Wings of Liberty for PC and Mac for $30 + pickup at Best Buy
- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- 9-Piece iPhone Bundle, includes 1,900mAh battery for $8 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
13 Comments