VeriFone Calls Out Potential Security Flaw in Square's Mobile Phone Payment App

VeriFone, the large publicly held company that makes cash registers and other payment processing devices, has issued a scathing open letter about Square, the San Francisco start-up that has gotten a lot of press recently for offering a solution to small merchants using a mobile phone.

In the letter, VeriFone’s CEO Doug Bergeron called it a “wake-up call to consumers and the payments industry….Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.”

To help illustrate the vulnerability, VeriFone said it took an hour to write a test app that could steal financial and personal information right off a credit card’s magnetic stripe using Square’s card reader.

We’ve reached out to Square for comment and have not heard back. We’ll update the post as soon as we do. [Update: Square's response can be found here.]

So, in the interim, the question is, is this a publicity stunt, or are there real threats with what Square is doing?

VeriFone claims the issue is that Square’s hardware is poorly constructed and lacks the ability to encrypt consumers’ data. In essence, there’s no way to verify that the Square dongle is connecting with the real Square application and not some knock-off. VeriFone wants Square to recall the dongles from the market.

Square said last week that it is now processing more than $1 million in transactions a day. The company, which was started by Twitter founder Jack Dorsey, recently raised $27.5 million in capital. In a recent interview we conducted with Dorsey, he explained Square’s vision to replace everything from the receipt to the register.

The open letter can be found at www.sq-skim.com, where VeriFone has gone the extra mile to make the fake application available to anyone. It is also sending a copy of the app to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor) to invite their comments.