“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” Google said in a statement. “This fix requires no action from users and will roll out globally over the next few days.”

The security issue, which stems from the way Android had been sending authentication tokens, had been highlighted in a recent paper by researchers at a German university.

Google had already addressed the issue in the most recent versions of Android–Gingerbread and Honeycomb–but the vast majority of phones are running older versions of the operating system.

The company is still looking at how to address a similar issue with regard to its Picasa photo service.

A report last week from researchers at Germany’s Ulm University found that Google authentication tokens are susceptible to interception in all but the Gingerbread and Honeycomb releases of Android. As a result, an attacker could easily gain access to a user’s private Google account information, such as calendar and contact information, if that phone is used on an open Wi-Fi network.

The issue here–and it is not unique to Google–is that when unencrypted information is sent over open networks, it is easily intercepted, says Lookout Mobile Security CTO Kevin Mahaffey.

“If you are mailing sensitive data in transparent envelopes, you should not be surprised people can look at (it),” Mahaffey said. Google is not the only one transmitting either such tokens or other important information “in the clear,” Mahaffey said. Much of the data transmitted from PCs and phones is still sent over unencrypted connections. However, Mahaffey said the time has come where services should be moving any potentially sensitive information over a secured connection.

Although such an approach might have been cost prohibitive back in the early days of the Internet, Mahaffey said it is now economically feasible for most services.

In Google’s case, sending the authentication tokens means that an attacker, even without one’s password, can access the account information for the life of the token–in this case around two weeks. Google changed its processes in the latest releases of Android, but the vast majority of users are running Froyo or older versions of the operating system.

Plus, unlike with a computer vulnerability, users don’t have a way to quickly update their phone’s software as new issues are discovered. Instead, updates to the operating system typically take months to get approved by the phone makers and carriers before becoming available to phone owners, if they are made available at all.

At Google’s I/O conference last week, the company outlined a new industry effort aimed at both speeding up software updates and ensuring that they are made available to users for at least 18 months after a device is introduced.

In the meantime, Mahaffey recommends that users try to avoid unsecured Wi-Fi connections altogether, or, if they are using such connections, that they turn off synchronization and be careful what other types of data they send.

For its part, Google says it is aware of the issue, has made some changes and is working on others.

“We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa,” Google said.

Sony says that the credit card data associated with the accounts was encrypted, though there are anecdotal reports of credit card fraud occurring coincidental with the timing of the breach.

On top of that, regulators in places as varied as Connecticut and the U.K. and Ireland are demanding information, often the first step in investigations that lead to lawsuits. The office of Ireland’s data protection commissioner (cool title) says it wants a full report on the incident by the end of the week. The U.K.’s Information Commissioner’s Office is investigating. Perhaps Sony’s one lucky draw in all this, as Parmy Olson of Forbes notes, is that it won’t have to face the full fury of the European Union because authority for data privacy issues are reserved to individual member countries.

Meanwhile, the attorneys general of several U.S. states are starting to rumble, starting with Connecticut’s George Jepson, who said he is launching an investigation, while his counterparts in Missouri and Iowa are making the kind of public statements that are often a precursor to investigations of their own. A few lawmakers in Congress are tsk-ing disapprovingly too, mulling hearings and new legislation. Below is an appearance on CNBC by Sen. Richard Blumenthal, D-Conn., suggesting that the Department of Justice should launch its own investigation.

Thanks, Senator. However, my guess is that if the systems compromised are in the U.S.–and given the number of PlayStation Network customers there are in the U.S., how can they not be?–then one branch of Justice is already likely involved: The FBI. Hasn’t Sony already disclosed that it’s working with law enforcement? This isn’t exactly the sort of thing for which you call a local police agency.

Madigan said in a statement that she had sent a letter to both companies asking them to detail exactly what information their devices are collecting, how long the information is stored and for what purposes.

“I want to know whether consumers have been informed of what is being tracked and stored by Apple and Google and whether those tracking and storage features can be disabled,” Madigan said in a statement. “It’s important that these companies ensure that their users’ private information is protected.”

Madigan is among the latest to raise questions over how the companies are dealing with location-based information following articles last week noting that, since the release of iOS 4, Apple devices have been keeping a detailed database of everywhere that iPhones and 3G-equipped iPads have been, storing the information in an unencrypted file.

The Wall Street Journal also noted that certain location-based information is also being sent to Apple and Google from their devices. In a separate story on Sunday night, the Journal noted that the iPhone appears to be storing the data whether or not users opt in to location-based services.

According to Bloomberg, the South Korean government is also looking into Apple’s data practices, and the first consumer lawsuits have appeared, filed in Florida.

Apple has declined to comment on its practices, including how much information is sent to the company, how long it is kept, how it is used and why the information is stored in an unencrypted file. However, its CEO reportedly responded to one customer’s mail with a terse comment. “We don’t track anyone. The info circulating around is false,” Jobs said in the email, as reported by MacRumors. Apple has declined to say whether the email is indeed from Jobs, though he is known to fire off short responses on occasion to customers who email him.

Google declined comment on Madigan’s letter, but defended its practices last week, noting that it collects information only from users who opt to receive location-based services such as custom search and mapping. The company has said the information collected is tied to a unique identifier that is specific to each Android device, but is not tied to other personal information, such as a Google ID.

Both mapping and search, for example, use location information to provide results tailored to where a device is at.

However, Google stressed such services are optional and that even for those users that opt in, the information is not tied to a Google account or other personally identifiable information. The information is uniquely identified per device, but that unique identifier is an anonymized token, as opposed to being tied to other information, according to Google.

“All location sharing on Android is opt-in by the user,” Google said in a statement to Mobilized. “We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices. Any location data that is sent back to Google location servers is anonymized and is not tied or traceable to a specific user.”

Those that opt out can still use maps and search on their phone, but would have an experience that doesn’t tie to their specific location and would be more similar to the experience of using Google’s search and maps on a desktop or laptop computer.

Questions about what location-based information Android makes use of followed reports that Apple’s iPhone and 3G-equipped iPads are storing a history of location information in an unencrypted database on the device. The Wall Street Journal on Thursday noted that both Android and Apple devices are sending certain location information back to the companies.

In addition to that issue, there are separate issues over the length of time such information is stored, both on the device and by Apple and Google. The iPhone (and 3G-equipped iPads) appear to be storing a long-term directory of where a device has been and keeping that information in an unencrypted database. Google keeps a small cache of such information, to allow mapping and search to work even if a device temporarily loses GPS signal. However, it doesn’t keep a long-term record on the device.

Apple has not responded to requests for comment on how it uses location information.

The company did disclose some information last year on the information it collects in a letter to Democratic Rep. Ed Markey of Massachussetts. However, congressman Markey said in a statement this week that he is still concerned and sent additional questions to Apple.

“Apple needs to safeguard the personal location information of its users to ensure that an iPhone doesn’t become an iTrack,” Markey said. “Collecting, storing and disclosing a consumer’s location for commercial purposes without their express permission is unacceptable and would violate current law.”

It turns out the iPhone (and 3G iPad models) have been saving up this information since the arrival of iOS 4 and storing it in a handy little unencrypted database on the iPhone itself, which is also backed up to whatever computer the phone is syncing to.

The first reaction was obvious. There was the predictable (and frankly quite understandable) concern about this data, followed by tons of fomented frenzy. Had users agreed to this collection? Where it was being stored? How was it being used and why wasn’t it better protected?

Second, and more interesting, was the rush to willingly share all this privacy-invading data. Thanks to a nifty app that maps the information, it’s quite easy to do. And lots of people have done so.

I think this tweet from Chris Mulligan about sums up the mixed emotions rushing through many an iPhone owner this morning.

“The iPhone tracking is pretty sweet, but I wish it had more detail,” he wrote. “It’s missing a few places I’ve been. :( Oh, and I guess encryption?”

Of course, I am both that scrapbooking cousin and one who feels compelled to share. Here, for example, are some of the places that my iPhone has visited.

It appears I have been to lots of places in California, as well as to Orlando (CTIA), Las Vegas (CES), Tahoe (fun weekend with friends) and New York (Verizon iPhone launch), among other places.

Now, all that being said, the information that the iPhone is collecting apparently goes deeper and also includes time and very specific place information, which could be used in all kinds of not-so-nice ways.

Although I am willing to share this data in a fairly undetailed map with the world, as are apparently lots of others, it’s unclear that everyone would want to share exactly everywhere they have been–and when.

Cue lines like “Hmm, you called in sick on Thursday, but your iPhone was at the movies all day” and “Honey, why were you with your ex last week–at her apartment?”

Plenty of legitimate questions about this remain, including why the h-e-double-hockey-sticks wasn’t the information at the very least encrypted. I’ve reached out to the folks in Cupertino and will let you know what I hear back.

By the way, cellphone carriers already have such information, but they tend to take better security precautions and don’t give out the information without a court order.

Also, there is an option in iTunes to encrypt its backup with the iPhone, though it is not immediately clear if this would solve all of the issues.

The result is a push from both start-ups and traditional security firms, with Webroot becoming the latest software maker to offer a mobile-specific product.

On Monday, the company launched Webroot Mobile Security for Android–a program that comes in a basic free version as well as a more advanced paid edition that sells for $14.95 per year. Webroot says that, for now, Best Buy will be its exclusive outlet for the paid version.

As with other smartphone security software, the new Webroot product focuses not just on protecting against viruses but also managing the threats posed by the fact that smartphones are basically easily lost honeypots filled with tons of personal information.

“We believe in protecting you as an individual, not just the device you use to connect to the Internet,” Webroot vice president Quinn Curtis said in a statement. “With smartphones and tablets, we carry around vast amounts of personal data including our contacts, emails, passwords, and even financial information. This data is targeted by cybercriminals through malware, online scams, and device theft, and the market success of the Android mobile operating system provides the scale they need to make those attacks profitable.”

Webroot joins McAfee and AVG as well as Lookout Mobile Security, a well-funded start-up that focuses on smartphone security software.

Dubbed LizaMoon after the Web site where some users are in some cases redirected, the attack was first documented by the security research firm Websense. The hack seeks to trick Web users into believing that their computer has been compromised by viruses and prompts them to download fake security software that itself causes further problems. Among the sites serving up the links to the fake software sites are some belonging to Apple and used on its iTunes store, though Apple is said to have cleaned up the affected code on its site.

Websense says that so far it appears that sites using Microsoft SQL Server 2003 and 2005 are at risk, though as yet SQL Server 2008 doesn’t appear to be affected. No word yet from Microsoft about any of this, though I’ve asked them for a comment.

Update at 4:25 pm PDT: I just got this statement from Microsoft:

“Microsoft is aware of reports of an ongoing SQL injection attack. Our investigation has determined these sites were exploited using a vulnerability in certain third-party content management systems. This is not a Microsoft vulnerability.” I did not, however, get a hint as to the identity of the “third-party content management system.”

SQL injection attacks take place when malicious code–essentially commands to a Web server to do things it’s not supposed to do–are inserted into routine queries of a Web site’s database. A basic way to carry out these attacks is to add extra commands into the URL bar of a browser when visiting a vulnerable Web site. It’s not entirely clear exactly how this series of attacks has been carried out.

I talked with Josh Shaul, CTO of Application Security, Inc., a database security vendor that specializes in researching attacks on databases. “It’s a very new take on a very old type of attack,” Shaul said. “SQL injection has been the primary way that databases have been attacked for years. What’s different here is that people are putting the code that runs their Web sites in the database itself. And that’s what’s so troubling. Effectively you’ve exposed your code to an attacker so they can go modify it.”

Attackers found hundreds of thousands of sites that use a single user account to query their databases for all visitors, Shaul said. “The databases are clearly configured in an insecure way,” he said. “That’s what it all comes down to. Why is it that the log-in to use the database has the right to modify the code for the Web site itself? That makes no sense at all.”

In this case, the attackers took advantage of the weakness to insert a script that creates a pop-up that sends a site’s visitors to another site that looks like a legitimate place to download new Microsoft security software. That makes the attack on the Web sites themselves just a means to an end–the end being tricking innocent Web users into clicking on a series of links and paying to download fake security software.

Websense produced a video demonstrating what happens. The short lesson is this: If you see a pop-up that tells you you’ve got a virus or that your computer is compromised by a bunch of security issues, don’t click any of the links in it; it’s probably not legit.

That’s the essence of a new report from researchers at George Mason University.

George Mason professor Angelos Stavrou and some colleagues used an Android smartphone to launch a covert attack, but Stavrou said that any smartphone could be vulnerable when synchronizing to a computer or even just plugged into a charger. Once a cable is compromised, Stavrou said, it can attempt to act as an input device. Like a mouse or keyboard, it can then send signals to take control of a connected computer or phone.

The attack vector is especially pernicious because users aren’t even thinking they might be vulnerable.

“The typical user inherently trusts the connection when hooking up devices using a USB cable because they think they know what it is supposed to do, and they own the two connecting devices,” says Stavrou in a blog post. “Attacks through USB cables haven’t been seen before, so there are no defenses in place to prevent or even detect them.”

Coviello didn’t disclose many details about the attack, but said the attackers were able to extract some information about the company’s SecurID products. The backbone of the SecurID system is the keychain-sized tokens like the one pictured that generate a new number every 30 seconds or so, and used to log in to computer networks and other systems. The tokens and software that generates numbers in the same way on smart phones are widely used by corporations and governments to keep attackers out. As of 2009, RSA estimated that 40 million people used the tokens and another 250 million used RSA software on their smart phones.

Coviello said that so far it doesn’t look like the SecurID system has been compromised. But the information taken by the attackers could make an attack that would compromise it somewhat easier. “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” he wrote. “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

RSA has classified the attack as an “Advanced Persistent Threat” which in security industry parlance means it’s sophisticated enough that it may require the resources of a nation state to carry out, though the phrase is often met with mild derision by security professionals. As one put it, APT is another way of saying “not attacked by a script kiddie.”

It remains to be seen exactly how significant this incident will prove to be over the long term. As one security expert put it to me, if algorithm used to generate the numbers displayed by the token is compromised in any way, confidence in the SecurID system will plummet, and the cost to RSA and EMC could be serious. Not only will there be the cost to replace all those tokens, but work will have to be done to change the software algorithm used to generate the numbers. Neither will be inconsequential. EMC shares finished the day up 25 cents or nearly 1 percent, but are falling slightly in after-hours trading as the news about this attack has come to light.

In response, Square’s CEO Jack Dorsey said the claims weren’t “fair or accurate,” and that VeriFone was overlooking all of the protections already built into your credit card.

VeriFone’s awareness campaign may be considered a little unconventional.

The company went as far as to launch a web site, record a video, and develop a mock-iPhone app that demonstrates how easy it was to use Square’s dongle to skim information off of a credit card.

Reactions to VeriFone’s approach largely sided with Square.

In comments on our site and on other venues, including Twitter, respondents mostly waived off the concerns, saying that VeriFone was feeling threatened by Square’s progress in the market.

In an exclusive interview, VeriFone’s CEO Doug Bergeron explained why the company felt it was necessary to launch the campaign.

Actually, the interview was positioned as a way to “clear the air,” although as you’ll see, those were not his words, but rather the phrase his public relations people chose to use in pitching us.

Here is our conversation, which has been edited for length and some context, but is largely as it happened.

Duryee: I was told you want to “clear the air” about VeriFone’s actions last week.

No, I don’t think that’s the way I would put it.

I believe that’s a direct quote from your PR person.

Well, I can’t help what they say.

But this is a very interesting time in mobile commerce. There’s a lot of things happening, and a lot of innovation that is happening, and yet, and yet a lot of historical issues that haven’t gone away.

[Skipping ahead in the interview] How is your smartphone product different than Square’s?

We’ve been selling PAYware Mobile for about a year, and it is selling well. Square is the only one that I know of that doesn’t encrypt their data.

We don’t use a dongle. We use a sleeve, or basically it’s a small cradle that the phone sits in. What’s different is that we encrypt the data, which means it costs $25 to $35 more to provide that technology. We aren’t creating fraud. We want consumers to be able to accept credit cards. But if you cut corners it causes problems.

We’ve been mentioning it for awhile, but we thought we needed to be heard.

Did you approach Square directly?

We’ve been in several conversations–not just with Square–but with the industry, and not just about Square, but about hypothetical devices.

We don’t want an industry that’s been moving toward simplicity, which we think is good, to move toward technology that’s allowing fraud. We don’t want it to go in wrong direction.

Did you give Square a heads-up that you were going to do what you did?

I don’t know who our PR folks talked to or didn’t.

Your PR folks told me that you had a meeting with Square’s CEO Jack Dorsey the week before.

I did see him in New York. We were at a similar meeting. I brought up the security issue, and asked him how are you addressing security? The answer was still, the networks will take care of it.

That’s not the way the rest of the world is treating this.

Networks have programs that monitor transactions, and they’ll call you if you are traveling, and there’s systems that can identify things post-facto, but that’s after the fact. The rest of the world has used smart cards and other mechanisms to stop fraud where it happens.

So, the networks can take care of it?

It’s not good enough. We should be joined arm-and-arm to make sure customers trust these systems and make sure that fraud goes down. I don’t think retailers like paying the highest interchange rates in the world, that’s not fair.

Was your open letter fair to Square?

[He laughs.] Listen it’s a competitive world. We take our role as a leader in the industry seriously. We gave them a heads up and free advice that you shouldn’t be allowing systems out there, unencrypted. If that’s fair or not, it’s not the issue here. We collectively need to create new technology to reduce fraud, whether you are a venture-backed business or a big businesses. We are both responsible for our own decisions and should be able to fend for ourselves.

Were you worried they were gaining traction in the market?

No, not at all. We don’t know what traction they’ve seen. We might be doing more than them. I have no idea. It is worth noting that we do less than a couple of million dollars a year with micro-merchants, such as garage sales or Girl Scout cookies. But that’s not the essence of VeriFone. This is not our massive attempt to protect two million in revenue. If that’s what you think, you are missing the point.

We are not worried about competition in one of our $2 million segments, but we are worried about the industry not being concerned about the third rail of skimming, which is smartphones not using encrypted data.

Still, a lot of the feedback in the comments on our site and on Twitter was that you felt threatened by Square.

I notice Verizon and AT&T advertise whose systems don’t work. Oracle advertises against HP, by saying their systems have more processing power. I’m not quite sure how this is different. We have a solution that encrypts data and reduces fraud. If that’s not worthy of identifying and knowing, what’s wrong with that?

Well, maybe you went too far by making the faux iPhone application available for download on the site?

If we didn’t, we would have been accused of blowing smoke. The fact that we could do it [build one] in an hour demonstrates how serious of a problem it is.

[NOTE: PR jumps into the conversation, adding that the application on its site was only for demonstration purposes. No one could actually download it and skim credit card information with it. It was only to show it was possible, but there was no actual risk.]

You really believe that the Square dongle will be used for harm?

They certainly could. It’s a skimmer that doesn’t look like a skimmer. You might be using a merchant that you trust, and they are skimming right in front of you and don’t even have to go in the back room.

Now that you’ve voiced your concerns, what happens?

I don’t know. We all continue to go along our paths and try to improve paying at the pumps, and paying at the table, and try to continue to promote that smartphones are great and that the data should be encrypted…

We have a competitive reason to do so, and we believe we have a differentiated product. This can be solved. This isn’t rocket science. They can add encryption and they’d be done.

There is no next step. We’ll continue to sell the most robust in the industry, and reduce fraud and feel good about it, and they’ll continue to do what they do.

[From earlier in the interview. Bergeron provided the company's historical context in the industry, which led them to the decision to write the open letter last week.]

Without the benefit of 30 years of watching historical issues, it’s easy to see how our campaign last week was considered unconventional. But the reality is we are speaking to a very seirous issue here.

The first has to do with the ongoing concern–even worry–that retailers large and small are having with conventional card brands.

It plays out like this: I see you give me a lot of value to accept debit and credit because customers like it, but this notion that I’m paying the highest interchange rates in the world in America–15 to 25 percentage points of my revenue. Whereas, the rest of the world on average pays 10 percent. As a retailer, I’d say I’m just not getting how the 25 percent that I’m giving up to the card ecosystem is valuable.

The response is: The reason you pay the highest interchange rates in the world is because there’s a lot of fraud in the system.

Some of it goes to profits and managing the network, but a big piece of it is a pooled risk to cover the fraud in the system. The reason European retailers pay significantly less is because there’s a lot less fraud in the system. Ditto Canada and Australia.

Every other country has taken technology to eliminate or reduce the incidence of fraud and skimming. Therefore there’s less fraud and interchange rates come down.

Every day of the week, I hear them [retailers] complaining about interchange. I defend it. We are what we are, and there’s fraud in the system–that is what it is. We have made it our mission to go after the sources of fraud.

There’s two big areas of fraud, and the unregulated smartphone dongle is creating the third.

What are the two big sources?

The two biggest sources, which Forrester, IDC and NPD would all agree, is gas pumps and restaurants.

And there’s a reason for that.

Gas pumps received a waiver from Visa and other card companies.

They were leaned on by the oil companies, which claimed that meeting PCI compliance at each gas pump would have been really painful for the gas stations. And therefore at the 800,000 pumps today, unlike most stores you go to which use compliant technology sold by VeriFone or others, there’s nothing protecting your data there.

These pumps are serviced in the middle of the night by independent operators. It turns out that there’s a few master keys running around, which open up hundreds of thousands gas pumps, and then skimmers are inserted in the pumps and the data is captured.

Fraud gets created, and interchange has to stay high.

I thought gas stations experienced high fraud because the credit card has already been stolen, and can easily be used at the pump?

No, the signature doesn’t act as a deterrent. There’s a lot of unattended systems, where there’s not a person there, and they are all compliant and are encrypted. Only in America do these pumps exist.

And, what about restaurants?

The second area where there is a lot of fraud happening is in restaurants. You give your card up to the waiter, and they copy it. We agree [with Square] that copying cards down is a form of skimming.

Restaurants are the last frontier. Restaurants are the only place, where you give your card to a stranger and they go in the back room. So much happens in restaurants. They can get the number on the back, or run it through a skimmer, which are commonly available.

We have tech solutions to solve the two big problems, which would go a long way to reducing fraud, and probably reducing interchange.

Which leads us to how you believe Square is creating a new unencrypted point of sale?

We fear it is the third place, where data is being transmitted through a non-payment device without encrypting it before it goes in.

We have an iPhone product called PAYware Mobile.

We are on a mission here to reduce interchange for retailers by increasing the use of technology at the point of sale. We’ve been telling the story to card associations, customers and major retailers for the past year…It’s not just about reducing interchange for retailers when customers get their identity stolen, it’s a major pain in the you-know-what.

We think we are on the cusp of mobile payments, and there’s going to be more and more done with the phone. We want to make sure it is done securely because if there’s a major pandemic of fraud using cellphones, it’s going to slow the adoption.

We not only support mobile payments fully, we were great proponents of the use of smartphone as credit cards and acceptance systems–our point is let’s be consistent with the rest of the industry.

That was the finding of a Harris Interactive survey that’s being released later today. The poll, of more than 2,000 U.S. adults, found that 48 percent of tablet users are viewing or transmitting sensitive information on their devices. That compares to some 30 percent of respondents that reported such information was passing through their smartphones.

Both work and personal information is clearly finding its way on to both tablets and smartphones, though more of those surveyed said they had confidential personal information than reported having sensitive business data.

Dig down a level and the survey found that men are more likely than women to be confident in the security of their data on a tablet or smartphone. The same goes for the young, as compared to those who are older, according to the survey, which was done by Harris on behalf of Fuzebox.

However, there are plenty of people at both ends of the spectrum on this question. About 18 percent of those surveyed are either extremely or very confident in the security of the data being transferred on their device, while 15 percent said that they are not at all confident in the security of the data that is being transferred over their devices, whether tablet or smartphone.

“As the use of tablets increase across the world, mobile security will become a vitally important factor in the delivery of services to these platforms, especially as users more willingly trust these devices for sensitive and private information,” Fuzebox CEO Jeff Cavins said in a statement. Fuzebox makes collaboration and communications software that runs on various types of computing platforms, including mobile devices.

“Today one of our competitors alleged that the Square card reader is insecure. This is not a fair or accurate claim and it overlooks all of the protections already built into your credit card,” he writes in a letter on their web site.

VeriFone’s CEO Doug Bergeron wrote a letter of his own this morning, saying that Square has a serious security flaw that places consumers in dire risk.

Dorsey had two response to the claims:

First, he said that credit cards are inherently not secure. “The waiter you hand your credit card to at a restaurant, for example, could easily steal your card details if he wanted to–no technology required,” he argued.

Second, and likely more importantly, he said its partner, “JPMorgan Chase, continually reviews, verifies, and stands behind every aspect of our service, including our Square card reader.”

In addition, he said one method that ensures a transaction is secure is that you can request the merchant send you an instant text message or email receipt that’s delivered from Square’s server after every transaction.

VeriFone went to the fairly extraordinary step this morning of demonstrating on a video how easy it is to turn Square’s dongle, which plugs into the headset jack of a smartphone, can be used to steal credit card information. To do so, it developed an app that could steal financial and personal information using Square’s card reader, and made it available on its web site.

VeriFone said the heart of the matter is that there’s no security built inside the dongle to verify that its connecting with the real Square application–and not some knock-off. VeriFone requested that Square recall the dongles from the market.

In the letter, VeriFone’s CEO Doug Bergeron called it a “wake-up call to consumers and the payments industry….Seems like a great idea, but there is a serious security flaw that Square has overlooked that places consumers in dire risk.”

To help illustrate the vulnerability, VeriFone said it took an hour to write a test app that could steal financial and personal information right off a credit card’s magnetic stripe using Square’s card reader.

We’ve reached out to Square for comment and have not heard back. We’ll update the post as soon as we do. [Update: Square's response can be found here.]

So, in the interim, the question is, is this a publicity stunt, or are there real threats with what Square is doing?

VeriFone claims the issue is that Square’s hardware is poorly constructed and lacks the ability to encrypt consumers’ data. In essence, there’s no way to verify that the Square dongle is connecting with the real Square application and not some knock-off. VeriFone wants Square to recall the dongles from the market.

Square said last week that it is now processing more than $1 million in transactions a day. The company, which was started by Twitter founder Jack Dorsey, recently raised $27.5 million in capital. In a recent interview we conducted with Dorsey, he explained Square’s vision to replace everything from the receipt to the register.

The open letter can be found at www.sq-skim.com, where VeriFone has gone the extra mile to make the fake application available to anyone. It is also sending a copy of the app to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor) to invite their comments.

The so-called “Droid Dream” attacks took place earlier this week, prompting Google to quickly remove some 58 infected applications from its Android storefront. On Saturday, the company said it was taking several further steps to mitigate the damage.

The biggest action it is taking is to remotely remove the malicious applications from any devices that did manage to download the programs. It’s an option that Google has maintained, but has also reserved for only egregious cases such as these kinds of attacks. It is also pushing a security update to those devices to prevent attackers from gaining any further information from the infected devices.

“This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications,” Android Security Lead Rich Cannings said in a blog posting. “We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices.”

The latest action marks only the second time that Google has used its power to remotely remove applications from a user’s device. The first time it did so was last June, when a proof-of-concept malicious app made it to the Android Market.

Google said it will also e-mail those who are affected and the devices will post a notice saying that “Android Market Security Tool March 2011″ has been installed and such users may also see a notification that applications have been removed from their device. Droid Dream worked by attaching malicious code to a number of seemingly useful applications.

Although the infected apps collected some information to identify the device and which versions of the Android software it was running, Google does not believe that any other information, such as personal user data, was compromised. The exploit used vulnerabilities that Google had closed in the most recent releases of Android, including Gingerbread. Only devices running versions of Android prior to version 2.2.2 could be affected, Google said.

The company is looking for a new vice president of IT security who will report directly to CIO Bill McGrath. A source who obtained a copy of the eight-page job description being circulated by executive search firm Heidrick & Struggles was kind enough to send it along to me.

AOL is of course on an acquisitive tear, adding new properties all the time, and thus making the job of a new head of security ever more complex. It recently spent $315 million to acquire The Huffington Post and five months ago acquired TechCrunch.

The document below doesn’t mention compensation, but my source was told the pay range is in the mid-200s. It’s been awhile since AOL itself has been the target of a security breach, at least of the kind that makes headlines. Of course there was today’s distributed denial of service attack against WordPress.com which apparently affected Techcrunch for some time today. If you think you’re the one who’s up to the task, the job description is below. Enjoy.

aolvpsecurity

The attack, which cropped up Tuesday evening, was attached to multiple applications posted to both the Google-run store and various third-party app markets.

Although Google managed to expunge the 50 or so affected apps within minutes of learning of their presence in the store, the fact they made it that far indicates the game is changing. In the latest attack, the malicious code was attached to legitimate applications, but also was collecting identifying data from the phone and sending that information to a remote server.

Experts have warned for a while now that as smartphones gain traction, there will be an increasing number of attacks. Anti-virus firm Symantec says that threats have been increasing significantly in recent months after being quite rare, often limited to more proof-of-concept type exploits.

Not only are today’s smartphones the equivalent of a desktop computer, each one has a connection to not only personal information and the Internet, but also to a carrier billing system–putting would-be attackers one step closer to where the money is.

“For first time in history, a malicious attacker can send a packet of data and money goes flying,” said John Hering, CEO of phone security software maker Lookout Mobile Security. “Think about that.”

Already there have been attacks that cause an infected phone to send a premium text message, generating instant revenue for the attackers. Those attacks, against both Symbian and Android, have been confined largely to Europe and Asia–areas where premium SMS is more common and where carriers are sometimes less vigilant about monitoring traffic, Hering said. An attack in December, centered in China, took a significant amount of data from Android phones and sent it to remote servers.

That the phone has been seen as less vulnerable than the PC is largely an artifact of the fact that the devices have only recently gained powerful operating systems and fast Web connections.

“It’s not like phones are inherently safer than computers,” Hering said. “It’s just been more attractive in the past to attack computers.”

In general, Android malware has been attached to applications–often to legitimate applications–and posted to various third-party stores, rather than to the Google-run Android market. Indeed, sticking to the official stores has been one of two major recommendations from security experts (the other is to pay careful attention to what permissions an app is requesting).

Keeping up to date on a phone’s operating system can also help. Droid Dream, for example, exploited a security flaw that was closed with the Gingerbread release of Android. However, unlike on the PC side, users don’t always get to choose which updates they install, as carriers and device makers often get a say in which apps are provided to customers.

The Android attack is also sure to raise the question of whether an open platform is less secure than a more closed one and also whether it is better to have a curated market or one that is community-managed. Hering said it is not fair to say that Droid Dream suggests Android is more vulnerable, noting that both open and closed systems have their benefits. Open-source code does mean everyone can look at things, but it also gives the community a chance to report flaws before the bad guys do.

Naturally, there is also a market that has emerged for security software that can be installed on a device. Lookout and Symantec both offer phone products, and Hering said that Lookout’s software was updated within hours to protect against infected applications from both official and non-official sources.

Given how quickly Google removed the infected apps, it still makes sense for the cautious to stick to the Android market. However, it is clearly not a failsafe.

The other big recommendation is to not just blindly click OK to all those warnings that pop up when installing an app. On Android and many other platforms, users have to explicitly give an application permission to do certain things, such as access location data or make phone calls.

“If someone is downloading a scientific calculator and it wants to send text messages, it should raise some eyebrows,” said Vikram Thakur, a principal security response manager at Symantec.

I just got my first smartphone, an Android model, and have taken a look at the free apps at Android Marketplace. Is there any way to “know” which apps are safe to download, given the reports about malware/spyware now getting into phones?

A:

Partly because Google doesn’t prescreen apps the way Apple does, there’s less certainty on Android. However, I personally don’t think that most or even very many Android apps, by percentage, are malware. And you can always check them out in the reviews, or by doing searches to see if others have noticed any problems with them. Finally, if you’re really concerned, there’s a security app called Lookout that can supposedly spot malicious apps and protect your phone in other ways.

Q:

My husband loves his iPad. He is going into the hospital soon for surgery and would like to have it with him to keep occupied. I worry that someone may steal it. Is there an app for that?

A:

I don’t know of anything usable outside of a store that will actually secure it physically so it can’t be stolen (though I invite readers who do to let me know). But Apple does have a free app that can locate a lost or stolen iPad or iPhone, cause it to sound an alarm or display a message, lock it, or even wipe its contents.

Info is at: http://www.apple.com/ipad/features/find-my-ipad.html.

Q:

I just purchased a Toshiba Satellite laptop to replace my Dell desktop. I’ve been keeping the power cord plugged in all the time. Is this OK or should I let the battery run down on occasion?

A:

There is contradictory advice about this, but most experts I’ve spoken to say it’s generally a good idea to unplug it at least once a month or so and use it all the way, or almost all the way, and then recharge it. This is partly to keep the computer’s battery gauge accurate.

You can find Mossberg’s Mailbox, and my other columns at the new All Things Digital website, http://walt.allthingsd.com. Email mossberg@wsj.com.

The product, Plan B, is from Lookout Mobile Security, a startup that focuses on phone security software.

“We’ve all had a friend who has lost their phone, but didn’t have Lookout or another ‘find my phone app’ already on their phone,” Lookout said in a blog post announcing the product. “Plan B was created for them.”

Released last week, Plan B takes advantage of the fact that Android now has a Web version of its Market where one can choose an app and have it installed directly onto a device.

As a result, a user must have an account already set up on their Android device before it is lost and must have the app installed via the Web store. Once installed, the App will send a map of the phone’s location to the owner’s Gmail account.

The Plan B program is free, but clearly the goal is that anyone that uses it will want some more substantial protection for their phone in the future and be a good potential customer for Lookout’s more advanced software.

“Plan B is not a replacement for Lookout and is designed to be a one-time use app,” the company said. “It’s a backup plan for anyone who’s lost their phone and wants to get it back.”

I haven’t tried it myself, but it has already gotten a few rave reviews from thankful users.

The program is the first product to come out of a new “Lookout Labs” venture. According to the company, the new labs effort was “created to explore and test out new ideas that push the boundaries of mobile.”

It comes with all the usual caveats that accompany labs efforts.

“Projects developed in Lookout Labs are experimental by nature and are developed to showcase new concepts and facilitate an exchange between Lookout and the mobile community,” the company notes. “They may only be available for a limited time, so make sure you check out our latest projects when they are first rolled out.”

One of the more intriguing launches is a product called Divide from Enterproid that aims to separate Android devices into two segments–one filled with information and business apps managed by an employer and the other half free to house a customer’s personal information. Initially Divide will run only on Android models, though Enterproid also wants to bring the product to Apple iOS and Windows Phone 7 devices.

“We’ve witnessed a sea change in mobile technology in recent years, and yet enterprise mobility has lagged behind, as companies have been forced to make difficult choices between the security and control of older mobile platforms and the power and functionality of newer platforms like Android and iOS,” Enterproid CEO Andrew Toy said in a statement.

The business side of a Divide device has IT-friendly features like security, access control and enterprise email, messaging and browsing, while the personal side is open, allowing full access to apps and browsing. Although users can switch between the two profiles with the touch of a button, no data is allowed to move from one side to the other, ensuring the business side can’t be compromised, Enterproid said.

Research In Motion said earlier this year that it plans to offer BlackBerry Balance, a similar feature, on upcoming BlackBerry devices.

Another company presenting at Demo, Guardly, is also looking at how mobile can help with security. However, in its case, the security in question is the physical safety of its owner. The app allows people to simultaneously contact both emergency services and neighbors or relatives at the touch of a button.

Toronto-based Guardly said it hopes to have an iOS version available in Apple’s App Store by next month, with BlackBerry and Android versions planned later.

“Guardly is the first mobile personal safety service to give subscribers access to two safety networks at the same time,” said Guardly CEO Josh Sookman said in a statement “Our vision is to complement the existing 9-1-1 infrastructure and ensure that Guardly users are reached as soon as possible by their personal safety network and authorities in the event of an emergency.”

Both a free and premium service will be offered, Guardly said.

Other mobile launches include an updated version of the News360 app with iPad support, more news sources and greater integration with social networks as well as Orange’s On VoiceFeed, an improved iPhone voice mail app that Mobilized wrote about on Sunday.

EcoATM took the stage earlier today to talk about its kiosk for buying back used electronics, such as cell phones. The company noted that 500 million electronic devices are sold in the U.S., with only a small percentage being recycled, resulting in three million tons of e-waste going to landfills each month.

The company’s kiosk (see photo above) can identify a device, check how well it is working, value the device and offer the cash to consumers. A working iPhone 4, for example, could generate as much as $300. Regardless of how much is paid, EcoATM also promises to wipe customer information from the device. CoinStar is among the company’s backers.

Update, 10:50 a.m. PT: Just moments ago on the Demo stage, Enterproid was awarded the $150,000 Qprize from Qualcomm, as evidenced by the very non-mobile payment below.

“The allegation that Huawei somehow poses a threat to the national security of the United States has centered on a mistaken belief that our company can use our technology to steal confidential information in the United States or launch network attacks on entities in the U.S at a specific time,” Huawei Chariman Ken Hu wrote. “There is no evidence that Huawei has violated any security rules….If the United States government has any real concerns of this nature about Huawei, we would like to clearly understand those concerns, and whether they relate to the past or future development of our company….We sincerely hope that the United States government will carry out a formal investigation on any concerns it may have about Huawei.”

A brazen move for Huawei, perhaps even a measure of last resort. But after the events of the past few years, why not? The company’s efforts to gain a foothold in the U.S. market have been thwarted time and again by national-security concerns. In 2008 such anxieties forced it to abandon a $2.2 billion deal to acquire network equipment vendor 3Com. And just days ago they foiled its $2 million deal to acquire the assets of 3Leaf Systems.

So why not call the U.S. government’s bluff on concerns that it’s a threat to national security? Certainly, it obliterates U.S. calls for transparency and goes a long way towards resolving the trust issues plaguing the company in the States. And it puts Washington in a conflicted position: Either disclose the evidence it has against Huawei that’s keeping the company out of the market, or admit that there isn’t any.

The company, which is also just on the verge of launching its product, was started by two former Google employees from the Android team. CEO Tom Moss said he and Gaurav Mathur saw a huge opportunity to offer companies the flexibility of Android with the kind of security features companies get with BlackBerry and Windows Mobile 6.5.

“This trend of consumerization of IT is really shortsighted,” Moss told Mobilized in an interview on Monday morning. Businesses still want the same things they always have, including high levels of manageability and security. However, the rise of the iPhone and Android with their powerful capabilities have left IT in reactionary mode. “We’re kind of going against the trend but we think it’s the right bet.”

As part of the deal, 3LM will be a wholly owned subsidiary and continue to work with multiple device makers, Moss said. Financial terms were not disclosed. Motorola was one of the companies that 3LM had been working with.

“We didn’t pursue anybody,” he said, noting there were multiple interested parties. “They are the only OEM that is just doing Android, which kind of matches our mojo and our DNA. We really think it is the best platform for enterprise IT.”

As for the acquisition, Moss said he had built a small team that did a lot of product development in a short period of time, but needed to start building up capabilities for sales and support, all of the kinds of things that would have required some sort of financing. “We don’t have to worry abut funding.”

The deal will also help the company get an in with the kind of customers and partners it needs. “It’s hard as a 10-person start-up to be taken seriously, where as if you are Motorola people will at least talk to you.”

Moss said there is a narrow window to shift the trend away from enterprises just “giving up” and allowing all manner of devices onto their network as long as they have secure email. Although that is where things are headed, Moss noted that a lot of businesses still use BlackBerry and even Windows Mobile devices because of their higher security, though clearly that trend is shifting.

“We really want to get that out there before people just give up on security,” he said. “It’s a question of urgency. We wanted to get out there really quick.”

The company, which started last year, has about $1.5 million in seed investment from angel investors and VC firm Accel Partners.

I have a Windows PC. Microsoft sends regular updates to their “computer protection” software. Do I still need other security software?

A:

It depends what you mean by “computer protection” software.

If you are using Microsoft Security Essentials, then you already have security software and don’t need another brand, unless you are unhappy with it.

If you are referring to general security updates to Windows, these do close vulnerabilities in Windows, but don’t obviate the need for security software.

Q:

I’m an accountant and do a few tax returns for my clients in my spare time. Would you please give me some recommendations on a computer that I could use for preparing tax returns and filing them electronically?

A:

While preparing tax returns might require some skill on your part, it doesn’t require an especially powerful computer, or one configured in any particular manner. Pretty much any PC or Mac on the shelves can do it.

If you have a favorite tax software program, perhaps one geared more to accountants than to average consumers, you might check its system requirements and be guided by these.

For instance, if it runs on only certain versions of Windows, or requires a certain amount of memory, you should buy accordingly.

Q:

We have two new iPads, the models with only Wi-Fi connectivity. Can I use the Wi-Fi hot-spot feature of an Android phone to provide them with Internet access?

A:

Although I haven’t tested this scenario, I see no reason why not.

The hot-spot feature creates a Wi-Fi network from a cellular data connection and should work with any Wi-Fi capable device, including your iPads.

You can find Mossberg’s Mailbox and all of Walt Mossberg’s other columns online at the All Things Digital website, http://walt.allthingsd.com. Write to Walt at mossberg@wsj.com.

The five range in age from 15 to 26 and were arrested in early-morning raids on their homes. They’re accused of being involved in distributed denial-of-service attacks, where groups of users flood a Web site with more traffic than it can handle, thus slowing its performance to a crawl.

!n 2010 the group claimed responsibility for attacks on several Web sites, in apparent sympathy with WikiLeaks–the secret-exposing site that last year unleashed a barrage of previously confidential U.S. diplomatic cables. Targets of Anonymous included the Web sites of PayPal, Mastercard and Visa Europe after those companies stopped financial contributions from going to accounts belonging to the WikiLeaks organization. The action was dubbed “Operation Payback.” The police declined to say which attacks the five arrested are alleged to have taken part in.

Amazon was thought at one point to have been a target when its service went down briefly in December at a moment that coincided with chatter that Anonymous wanted to attack it. The company later said it had suffered a brief hardware problem.

Calling Anonymous a group is a bit misleading. Most of the people who chose to participate in one of its attacks did so by downloading software to their computers called the Low Orbit Ion Canon. Attacks were organized on the channels of Internet Relay Chat, and coordinated orders for all participants to “fire” their weapons were issued on Twitter. The software running on each desktop would then simulate legitimate Web requests to the target site, inundating it with so many requests that it would be overwhelmed and effectively rendered useless.

Earlier this month the group had trained its sights on Web sites belonging to the government of Tunisia, following civil unrest there, and just yesterday it was said to be attacking sites in Egypt.

This is the second round of arrests related to the attacks. Two teenagers in the Netherlands have also been arrested–one said to be connected to the attacks on Visa and Mastercard, the other allegedly involved in an attack on the Web site belonging to a Swedish prosecutor investigating sexual assault charges against WikiLeaks founder Julian Assange.

And speaking of Assange, CBS just announced that he’ll be interviewed by Steve Kroft of “60 Minutes” this Sunday. Here’s hoping that prompts a new Assange sketch from “Saturday Night Live,” like the one below from December.