There’s been a lot of talk this morning about an open letter from VeriFone regarding the Square iOS credit card system. They make some pretty heavy accusations about a security hole in the Square system:
The issue is that Square's hardware is poorly constructed and lacks all ability to encrypt consumers' data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.
and another straightforward condemnation:
Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.
My first response was something along the lines of “Yeah, so? It’s a cheap magstripe reader.” But after some further thought, I think they may have a point, though their post doesn’t make it very clearly. And the problem isn’t limited to Square.
One of the nice things about a portable payment system is that the seller doesn’t have to leave the customer to process the transaction. The card can be swiped right there, wherever the customer is. But what if the retailer has switched the program on the phone for another one that looks identical, but also keeps a copy of the credit card information?
Or, better yet, what if some 3rd party malicious software gets installed that can run in the background and collect the information as it flows into the device over the microphone input? The recent spate of DroidDream Android malware that hit over 50 applications would certainly be an interesting vector for attacking these kinds of devices.
So how does one protect against these threats? Ideally, there would be some kind of cryptographic exchange between the software and the dongle that actually reads the card, causing the data to be encrypted as it moves from the reader to the software. This would neatly solve the second problem (a card-sniffing trojan), but wouldn’t solve the first.
Any application on the device that needs to communicate with the dongle must have some kind of cryptographic key to authenticate itself to the dongle. If that key can be extracted, then a criminal can create a fake app that looks and acts just like the real one, and we’re back to square one (no pun intended).
The PCI Data Security Standard may address much of this. Ultimately, though, if the end-user can alter their device by adding new applications, a truly dedicated attacker should be able to turn any reader into a skimmer, even VeriFone’s own iPhone reader.
Maybe the best way to guarantee mobile payments are secure is through dedicated, certified, single-purpose readers, like Chip-and-Pin systems. Then again, perhaps not.
Like all security, the best answer is one based on a risk analysis. As it stands now, the Square device can easily be turned into a generic magstripe reader, as it (apparently) sends unencrypted data directly into the phone. Therefore, it might be considered a risk, as the barrier to entry for a criminal is pretty low.
However, if the device encrypts communication to the software, possibly through some kind of PKI authentication back to a trusted root, then the barrier becomes quite a bit higher. Until someone extracts a key and starts selling malicious look-alike applications. Or (even easier) until someone starts selling knockoff scanners that look just like the real thing, but without the encryption.
The bottom line is that, no matter how you frame the problem, it’s not easy to solve. For anyone.