Insecurity derailment

with one comment

Last week, news emerged that RSA has suffered a serious security breach that has left many wondering whether the millions of SecurID tokens in use around the world are really that secure after all. I’d be very surprised if RSA didn’t suffer financially as a direct consequence of this breach but RSA as a business will survive.

Jack Dorsey’s new venture, Square is hot at the moment. It’s a credit card reader and associated service that plugs into your iPhone or iPad and lets you take credit card payments. Square takes 2.75% and deposits the rest of the money into your bank account the following day. The device itself is free. All you need is a US address and a US bank account and you can start accepting payment by credit card.

Credit card fraud amounts to billions of dollars every year. Stolen credit card details sell for up to $50 but turning the stolen details into cash isn’t straightforward – fraudsters normally buy goods online which they then re-sell for cash. It would be much easier if you could simply set up a bank account under an assumed name (not that difficult in this age of identity theft), fill it with money debited from the stolen credit cards and then withdraw it the following day.

In theory, Square doesn’t allow this because the card has to be physically swiped through the device.

Except it doesn’t. Major Malfunction and Zac Franken have discovered that it’s possible to spoof the Square system into thinking that a card is present when, in fact, it’s not. This obviously opens up the risk that Square could become a vehicle for large-scale fraud and I can’t help wondering what the credit card companies would do if that were to happen.

Could Square fall victim to its own failure to build a secure platform?

Written by jackgavigan

March 23, 2011 at 11:16 pm

Posted in InfoSecurity

One Response

Subscribe to comments with RSS.

  1. Dude that’s a fair point and has totally been the elephant in the room since the valley and tanned techies starting swooning over square. Not unsolvable, but definitely has to be addressed. C2C payments haven’t even started to gain the traction, and subsequent kicking, they need to develop a standard.

    Raj Kotecha

    June 8, 2011 at 2:31 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: