Last week, news emerged that RSA has suffered a serious security breach that has left many wondering whether the millions of SecurID tokens in use around the world are really that secure after all. I’d be very surprised if RSA didn’t suffer financially as a direct consequence of this breach but RSA as a business will survive.
Jack Dorsey’s new venture, Square is hot at the moment. It’s a credit card reader and associated service that plugs into your iPhone or iPad and lets you take credit card payments. Square takes 2.75% and deposits the rest of the money into your bank account the following day. The device itself is free. All you need is a US address and a US bank account and you can start accepting payment by credit card.
Credit card fraud amounts to billions of dollars every year. Stolen credit card details sell for up to $50 but turning the stolen details into cash isn’t straightforward – fraudsters normally buy goods online which they then re-sell for cash. It would be much easier if you could simply set up a bank account under an assumed name (not that difficult in this age of identity theft), fill it with money debited from the stolen credit cards and then withdraw it the following day.
In theory, Square doesn’t allow this because the card has to be physically swiped through the device.
Except it doesn’t. Major Malfunction and Zac Franken have discovered that it’s possible to spoof the Square system into thinking that a card is present when, in fact, it’s not. This obviously opens up the risk that Square could become a vehicle for large-scale fraud and I can’t help wondering what the credit card companies would do if that were to happen.
Could Square fall victim to its own failure to build a secure platform?