VeriFone, a credit card processing company that has been designing and building card readers for nearly a decade, called out Square today over a security flaw in its iPhone card scanners. Square produces a credit card reader dongle that plugs into the headphone jack of the iPhone, and allows processing credit card transactions from the device.
VeriFone went so far as to register a domain, design an application to exploit the flaw, distribute it online, and notify all major credit card companies. The exploit works by means of installing a malicious (fake) Square card reader application to the smartphone. Since the card reader communicates with the application via an unsecured protocol, the application is able to collect the personal and financial data from the credit card’s magnetic stripe, and store it or transmit it online.
Because the exploit requires the user to install a malicious application, the exploit requires some degree of social engineering to convince the victim to install the application. The exploit requires no transmitting of data to Square, so can be completely contained to the hacked device.
This also makes a scenario where a perpetrator might pose as a legitimate vendor, process your credit card with his or her hacked iPhone, never actually pushing a transaction through, but successfully stealing your credit information. VeriFone and Square are in direct competition with each other, with VeriFone producing a similar, higher-priced card reader for the iPhone, making this very public accusation all the more interesting.