Wednesday, March 09, 2011

Is the Square reader a security hole?

Verifone tooka swipe at Square today, saying that the Square credit card reader, which plugs into an iPhone headset port and lets anyone accept credit card payments, is a security hole. Are they right?

Yes and no. Yes, it is possible to use the Square reader to steal credit card information. But no, the Square reader does not make the existing credit card security situation appreciably worse than it already is.

Credit cards are basically 1950's technology, and their security model is fundamentally broken for on-line transactions. Back in the 1950's when credit cards were invented, the security model was that you had physically present the card to the merchant, who created a physical imprint of the card using a mechanical device. The consumer then signed the imprint. This made the security model essentially the same as that for checks: you had a physical token (the check or the card imprint) and a signature. Perpetrating credit card fraud was about as hard as perpetrating check fraud. You had to produce a physical artifact (a fake check or a fake credit card) and forge a signature. That was a high enough bar that fraud was rare by today's standards.

The descent from that halcyon days of the 1950's to today's chaos happened very gradually. Although finding documentation for this is probably very hard, the first step was almost certainly the result of merchants dealing with mechanical failures in the card imprint machines by writing down the credit card number on the sales slip by hand. The one day a merchant gets the bright idea that because they can write the number down by hand, they can accept orders over the phone. In the 1960's, magnetic stripes were added to cards, which allowed the entire end-to-end process of processing a credit card transaction to be computerized. This was a big win for efficiency, but in the process it completely eliminated the two features of credit cards that provided security: the physical imprint and the signature. The result, predictably, was a dramatic increase in fraud.

The fundamental problem with credit cards for in-line transactions is that, by definition, on-line transaction can involve only the exchange of information, not any kind of physical token. But the information that you have to give to a merchant in order to conduct one transaction is the same information that is needed to conduct an arbitrary number of transactions.

The credit card industry has responded to this situation with breathtaking naivete. A number of "security" measures have been added over the years, but they all amount to minor variations on one of two themes: 1) require additional information to conduct a transaction (expiration date, billing address, CVV code, and use computers running sophisticated pattern recognition algorithms to try to detect fraudulent activity. Neither of these measures is even remotely adequate for the task. As long as the information to process a transaction is the same for every transaction it doesn't matter how much of it there is, a fraudster can easily acquire this information (whatever it is) simply by posing as a legitimate merchant, which is trivial to do on the web. And heuristic fraud detection helps, but it will always have both false positives and false negatives. The result is a horrifically inefficient and fraud-prone system. The Square reader does make it slightly easier to perpetrate credit card fraud: now a fraudster can scan the card instead of, say, taking a photo of the front and back. But letting a fraudster copy a card in two seconds instead of six is unlikely to have even a detectable impact on current fraud levels.

The credit card companies could easily solve this problem by deploying smart cards with embedded processors that use cryptographic techniques to produce tokens that are unique to a particular transaction. This would all but eliminate credit card fraud overnight. Why don't they do it? That's a good question. The honest answer is that I don't know, but I strongly suspect that it's because the card companies are not the ones feeling the pain. The cost of fraud is substantial, but it's just fobbed off onto the merchants in the form of ridiculously high transaction fees, chargebacks, and rules that prevent the merchants from passing these costs on to the customers. The merchants are a captive audience because consumers, understandably, insist on paying with cards, blissfully ignorant of the fact that billions of dollars are being silently funneled out of their pockets and into the coffers of fraudsters and banks.

Normally, a situation like this would be ripe for a startup to come in with a better, more efficient disruptive solution. But the problem is that there is a huge chicken-and-egg problem: merchants won't want to use a new payment system unless consumers are using it, and consumers won't want to use a new payment until merchants are using it. So at the moment, unless the banks decide to do the Right Thing (don't hold your breath), we're stuck in this local minimum.


David said...

The EMV system (known as "chip and PIN" in the UK since its rollout in 2004) is unfortunately far from perfect, but a step in the right direction.

Merchant Services said...

Credit card companies can profit from the growing issue of fraud or scams. They offer the card owners some protection plan or insurance. Shouldn't they be responsible in protecting our cards and bank accounts? Why do they have to sell it to us?