Printed from

VeriFone tries to spook users from Square with exploit demo

updated 01:05 pm EST, Wed March 9, 2011

VeriFone scares users from Square with skim hack

VeriFone attempted a classic "fear, uncertainty, and doubt" (FUD) campaign against Square today with a site and a video (below) claiming a major exploit in the mobile payment method. The credit card processing firm claimed that all was needed to "skim" and steal credit card data was a fake app that could use Square data but didn't actually process a payment. Since the hardware didn't encrypt the data, it could be adapted in "minutes" to systematically grab data from unsuspecting buyers, company chief Doug Bergeron claimed.

The company said it had already sent an example of a fake app to American Express, Discover, MasterCard, Visa and Square's main processing bank JP Morgan Chase. It argued the move was just to "invite their comments" but in mentioning Chase made clear it hoped Square would be blocked by all of the services.

Bergeron argued that VeriFone and other "credible providers" should instead be used because of their traditional approaches to security. Using something like Square would be a "catalyst for massive personal and institutional financial loss," he claimed.

While professing to educate customers, VeriFone has a conflict of interest magnified by the size of the campaign and its hopes to have Square blocked. VeriFone both has an incentive to protect its traditional point-of-sale machines as well as to guard its own PAYware mobile hardware and its future NFC-based payment technology. Square's reader add-on as well as the apps for Android and iOS are free, and the only costs incurred are for the transactions themselves.

It also sidesteps the relative difficulty of creating a fake app, since it would need to sideloaded on a jailbroken iPhone, and the common sense that a store hoping to get paid regularly would be unlikely to simply scam users.

By Electronista Staff


  1. hayesk

    Professional Poster

    Joined: Sep 1999



    Just how is this different that a clerk writing down my CC number from their receipt after I leave or making a skimming machine to look like the standard machines I see in stores?

  1. designr

    Fresh-Faced Recruit

    Joined: Apr 2002



    VeriFone wrote and is now distributing an app that reads credit cards and then fakes a Square transaction?

    VeriFone is giving away the fake app with which criminals can steal credit card numbers?

    Isn't that illegal?

    How is blocking Square from receiving credit card payments going to stop criminals from using VeriFone's criminal app?

    The executives at VeriFone should be thrown in jail.

  1. MyRightEye

    Fresh-Faced Recruit

    Joined: Apr 2008


    Wait just a minute...

    I'm a square user, and the company is a bunch of a*******. They shut down their user forums because they didn't want Square users communicating with each other. And they told us that these card readers WERE encrypted. Now we find out they're not!? That's pretty damn serious IMO. I will still use Square for my own customers, as obviously there's no risk there, but this will make me cautious about handing over my card to someone else using Square.

  1. donmontalvo

    Fresh-Faced Recruit

    Joined: Oct 2009


    comment title

    VeriFone must be losing sleep over the competition, to pull this kind of stunt. Puleeaasssee....

    Don Montalvo, TX

  1. OkieDoc

    Fresh-Faced Recruit

    Joined: Aug 2001



    All I know is, I was up and running on Square in no time, the app is super easy to use, and I had money in my bank account within 3 days of the first swipe.

    AND now there is no per-swipe fee, and only 2.75% fee.


    P.S. I'd still rather get cash :-D

  1. Tjp

    Fresh-Faced Recruit

    Joined: Jan 2010


    Square is safer than the waiter

    I had my cc number sent by a waiter to a confederate in Canada who sold it to someone and charged an auto repair on it, about 3 hours after I left the restaurant. It is safer to use square because then you know face to face the possible avenue of the lost CC number. It was pure luck through the fraud department at the CC company that noticed the charges hours apart and in different countries and hundreds of miles apart and called to confirm.

    So write a custom app to get the swiped number (and the nice piece of processing to retrieve it from the analog signal at that) or photograph the swipe and capture the info that way. crooks will take the path of least resistance.

    FUD folks, not to worry. This is an example exploit that has never been found in the wild, created by a competitor for marketing purposes.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...



Most Commented


Popular News