They'll launch, make a couple hundred mil, then they'll get hit with fraud, a ton of people will lose money, and they'll be forced to shut down, since noone will want to use the service, in fear of getting defrauded.
Since there is no barrier to entry, it'll be like 2 weeks before someone comes out with a black market version, that will look exactly the same, but instead of processing credit cards, it'll store them for future fraud.
Will be like the ATM snooping devices, but instead of having to get into the bank, all you need is an iPhone, and some "small" business to rob people with. A taxi, or a newspaper stand.
Edit: If you are going to downvote, at least tell me how exactly do you think this will avoid fraud from fakers who imitate the look and feel of the device?
If you haven't read the PayPal story, you probably should. A good version of it is to be found in Founders at Work, as told by Max Levchin (the nerd who mostly solved fraud for PayPal). Turns out the early story of PayPal is the story of solving the fraud problem...so it is extremely relevant to this discussion. PayPal also started as a company doing security and payments on portable devices, so it's doubly relevant.
As far fraudulent devices, I think it's pretty safe to assume that people aren't going to be swiping their cards with random people; rather merchants and vendors that they already have a reasonable level of trust with, but in situations where sales would have been limited to cash only or more complicated and PO-based (trade shows, live events, sales guys in the field, etc.). It won't stop the kinds of fraud that already happens; like your waiter at a restaurant keeping lists of card numbers for sale on the black market. And, I guess it would make that kind of fraud easier, since the attacker would have more information.
But, people are, I think, pretty cagey with handing random people their credit card outside of the context of a reasonably trustworthy business. I doubt this will change that. I'm about the hit the road doing sales work for my company, and I can see this coming in very handy, and I don't think my potential customers would have any reason to be concerned about fraud (since they can easily check up on us, and know that I am who I say I am).
I didn't criticize the idea. I up voted the story.
I just answered specifically to the comment, referring to the security aspect. Paypal was losing 10 million USD from fraud, so hope won't do it for the security.
"assume that people aren't going to be swiping their cards with random people"
And, I'm not arguing with you. I think fraud will be a big part of the problem they have to solve. I'm just pointing out that fraud has been solved in other novel payment processing cases in the past and will be solved for this particular case by someone, possibly this company, possibly one of the several likely competitors that will spring up (payment processing is incredibly lucrative if you do solve the fraud problem well enough).
I'll also mention that folks swipe their cards in fake ATM swipers pretty regularly. It hasn't hurt ATM usage, in general. Likewise, PayPal fraud is still an issue that they fight every day...but PayPal is incredibly profitable. eBay and craigslist also have huge fraud problems, but again, the sheer volume of legitimate transactions and the value of the huge markets they serve is enough to overcome any misgivings people have about using the services. So, I don't think that fake swipers will make this particularly company any more or less trusted than existing providers that have to fight fraud (assuming they are vigilant about actually fighting it).
I wouldn't be surprised if they were working with Palantir (ex-paypaler company) and using their fraud detection software, since PayPal has already been through this whole ordeal, its probably a much more solvable problem now than before, at least someone has figured it out.
The interesting thing here is that PayPal made all their margins by encouraging people to use bank accounts rather than credit cards because they made almost no profit on credit card transactions. I'm interested in how this revenue model will work out, it seems like merchant services providers have arrived at their current model of business (arduous checks before granting accounts) out of necessity. Since Square is basically in the merchant accounts business (that's where their margin is) it will be interesting to see if they actually know something that merchant service providers do not about granting accounts to anyone who wants them without more verification.
I've always wondered why merchant service providers didn't instantly verify accounts and allow people to start charging immediately, but hold the captured funds while the account was verified with all the proper checks. Maybe that is what Square is doing.
there are a huge number of legit businesses that would benefit from this. i showed it to a few friends already.
why are we naysaying this specific business and not other point of sale things that operate the exact same way? what prevents someone from running a fake newspaper stand with a laptop and CC swiper? why is this product vastly different?
well, what makes an official looking device safe? ATM and gas station skimming is a big issue.
do they do restaurant payments different in the UK? would you simply hand your card over to a waiter to pay a bill? what prevents the waiter from just writing down your info? you wouldn't even see a device there.
i think that its just an issue of trust. you won't necessarily trust someone with a hacked together device on a street corner, but if its your cousin jim's glass blowing sculpture store, you'll probably trust anything they run your card through.
plus, in the US at least, we have a fairly robust consumer protection on cards. if you suspect your card to be compromised or see a charge on it you know isn't yours, dispute it and you'll probably have your issues resolved satisfactorily.
Generally we don't let our cards out of our sight. Indeed most of the time I handle my own card and it's only rarely that a shop assistant will handle it. (So writing down info isn't a big concern).
The portable POS devices allow the customer to tip as well BTW.
"They" don't run cards much any more. It's a case of consumers putting their own cards into chip+pin devices and keying in their PIN.
Sure @ disputes, we have similar, but it's an extra hassle and not fun.
at some point in time, there's a layer where you have to give someone some level of trust. again, in the case of ATM and gas station skimming, even official looking devices can be malicious.
also, what are your thoughts on online purchases? you're relinquishing a certain degree of control there, too.
disputing isn't fun or convenient, but if it wasn't there or it was worse, i don't know that the CC system would be as popular or successful. its one of the reasons why debit cards had a rocky start.
I'm pretty sure this is a risk borne by the credit card industry already. Unless I'm misunderstanding something, this is essentially the same risk as that of handing your credit card to a waiter.
This device can be used with any computer or smart phone. I'd be worried about businesses using insecure computers connected to the internet instead of POS machines where people don't click on links to install untrusted software.
I thought about this but I don't think it's any worse than the status quo.
A scammer can today get hold of a fake taxi badge, pass a skimmer back to the passenger saying it's going to take payment and achieve the same end.
Presumably the argument against square would be that it will desensitise consumers to the risks associated with this and they'll drop their guard.
I think this might make sense if consumers had any guard in the first place. However since I'm sure the average person would hand their credit card to a taxi driver to skim today it's hard to see that Square changes anything.
At the end of the day this will come down to people being careful about who they hand their card to - just as they are (aren't) on the internet.
Exactly. I can rent some storefront right now and set up a fake card swiper. Maybe the barrier of entry for this kind of thing is lower... but is it lower than creating a web page and stealing credit card numbers?
The beauty of credit cards is that you're not responsible for fraud. I know that when I go to a restaurant the server could easily take a quick cell camera shot of my card, but I accept that risk because I know that I monitor my card activity and that I can recover that money if it does happen. The same applies here.
Your iPhone leaves a data trail, at the provider, at wifi spots, at bluetooth sensors. Now someone who is technically adept could muddy that trail considerably. But the basic forensic evidence is still there. And remember, for the most part criminals are human, and make human mistakes; they will do a transaction in full view of a security camera, or something equally dumb. It's no better and not much worse than the systems we have now.
Magstripe readers have been within the reach of any reasonably-clever fraudster for a long time. Attaching them to an iPhone and using audio modulation for the signal doesn't magically open the floodgates to card skimming and duplication.
This isn't even as big a threat as, say, making people acclimated to the idea of joining open wireless networks at coffee shops -- card skimming at least requires physical access to the card for a few seconds.
Fraud is much less likely here than on PayPal, for example, for multiple reasons:
a- Card present. Chances of fraud when the card is swiped are much lower than when it isn't (for obvious reasons).
b- Signature. This lets you have a basic form of authentication for the user after the fact (oh, didn't make this purchase? Why is this your signature?)
c- Location. Each purchase is tagged with the GPS coordinates from the phone.
d- If need be, pictures. You could always snap a quick photo of the cardholder if the transaction comes up as a serious fraud risk.
Yes, there are still risks of the person skimming your card info, or stealing your CC number another way, but these are risks present in the entire credit card system.
It's certainly much safer than PayPal, and they're doing alright.
It looks to me like the iPhone is the user's own iPhone, in which case the user will have installed the software on the phone side themselves. So I guess the flow would be: user starts software; merchant takes phone and plugs in device; software checks device and makes sure it is authentic; then UI presents signature page to user.
What is the hole in this? I'm not saying there is no hole, and I did like your question (and upvoted it), but I'm wondering if you can think of a good attack that I'm missing.
Edit: Instead of "iPhone" I should have said just "phone" since it will be on multiple platforms.
Only thing I can think of would require uploading malicious software with a modified version of the square device but that doesn't look possible, yet.
Why not just use your phone to pay, for example the business owner gives you a qr code that you scan in then use an app that interfaces with your paypal account that pays the business they get confirmation you don't have to worry about using extra hardware,
or why can't the business owner give you a number to text and then collect payment through that then you don't even need a smartphone any cellphone will do.
Really things would be more secure if I could send money to an account rather than have them remove money from mine.
what if you were the owner of the iphone and square hardware and the business or person you were giving money to had a barcode/number/qr code that you would scan/enter which would go to a third party(probably square) service that verifies your account is in good standing and tells the receiver on their iphone/android then the transaction is completed square takes a small cut 1 cent per transaction for being the trusted middle man. No worry about using untrusted system or anything.
You are doing everything on another person's gadget. Any verification Square can come up with, can be bypassed by simply not implementing it.
Verified icon? Easy JPG
Encoded credit card #s? Who said the fraudsters would need to use your tool?
Square Verified badge? Easily copied.
It basically boils down to trust issue, early on, consumers will just be unaware of how vulnerable they are, but then stories will start popping up all over the place about how so and so, paid with a credit card for a taxi ride using Square, and then got hit with $5K in credit card fraud.
As BigO said (or implied at least) above any such device needs to be mine. I should get a transaction ID from the seller and use an encrypted text message or other interaction with my bank to forward the money to the seller - on completion they see their tx-ID as paid and I go on my way with my acquired goods.
The Square system is like me handing over a pot with all my money in it and saying "take what you like". Whilst the above is akin to me passing the money to an esscrow (my bank) and them checking it is OK and telling the receiver of the funds.
Sure a fraudster can get hold of a fake merchant ID and encode the transaction value, ID and their merchant ID with an acquired private key - but that merchant ID can just be locked when fraud is spotted and decrypting the data off the wire is going to require lots of resources.
why would someone involved in credit card fraud care about regulatory barriers and patents? These will be the same people who sneak into ATMs, and modify the readers.
Why wouldn't it just work to use the camera and do OCR on the front of the card... seems like the little gizmo is way overkill for something fairly simple.
They'll launch, make a couple hundred mil, then they'll get hit with fraud, a ton of people will lose money, and they'll be forced to shut down, since noone will want to use the service, in fear of getting defrauded.
Since there is no barrier to entry, it'll be like 2 weeks before someone comes out with a black market version, that will look exactly the same, but instead of processing credit cards, it'll store them for future fraud.
Will be like the ATM snooping devices, but instead of having to get into the bank, all you need is an iPhone, and some "small" business to rob people with. A taxi, or a newspaper stand.
Edit: If you are going to downvote, at least tell me how exactly do you think this will avoid fraud from fakers who imitate the look and feel of the device?