Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sure, the CC data can easily be stolen even now but assuming square gets popular, consumers then will have to "trust one more device" in addition to the card-readers used by merchants, any other place where you swipe the card, the waiter, etc etc. And more so because its much easier to write rouge apps or malware-apps for smartphones than to hack the dedicated card readers. In case of a malware-app, the danger is not just limited to one merchant. It seems to me that the real question raised by verifone is not being given enough concern. Why can't the square card encrypt the CC data ?? with a private key that only square-app can make sense of?


And more so because its much easier to write rouge apps or malware-apps for smartphones than to hack the dedicated card readers

When I hand over my card to a merchant in a store, how do I know what they are swiping it in is a dedicated and secure card reader? I don't.


In the UK the merchant is not permitted to touch the customers card; all the card readers face the customer and are used by the customer (restaurants all have mobile PIN entry devices).

Now each credit card in the UK is has a chip (which uses end-to-end crypto), they're looking to phase out magstripes completely.

Currently if the merchant has to fallback to using the magstripe then he'll have considerably less protection against customer fraud, and he'll pay a much higher transaction fee.

Square would not be permitted to operate in the UK.


Square would not be permitted to operate in the UK.

However neither would would the other 99% of the credit card in the US. The US infrastructure is insecure, and Square is no worse than the rest of it.


A few years ago there was someone at a kiosk in a mall in NYC (I think), who got busted skimming. She was double-swiping, once through their POS system, and then a second time on a Palm Pilot with a magnetic stripe reader attached. She got busted because someone saw her doing it and got suspicious. Now, think about the number of times you hand over your card and it leaves your line of sight to be swiped. Other than retail stores, it happens to me all the time.


Presumably, encryption would add hardware costs to a device that they're giving away tens of thousands off for free, and only provide the illusion of additional security on top of there existing security measures once it hits the iOS client (pure speculation on my behalf).


If they baked the server's public key into the device and encrypted data with that, then only the server would be able to access the raw card data. This would prevent the device from being useful for anyone but Square. It may not be worthwhile to do so, but it certainly isn't the illusion of security if your concern is accessing the raw data.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: