Verifone today released a somewhat hyperbolic video in which they accuse Square (an application and hardware combination for accepting credit cards on iPhones, iPads, and iPod Touches) of being a ‘skimming device’ and demonstrate that the Square reader can be used in conjunction with malicious software in order to capture an individual’s credit card information. As John Gruber points out, what VeriFone fails to mention (aside from the fact that they’re in direct competition with Square) is that there is almost no data captured from the magnetic stripe which isn’t already visible on the card.
Magnetic stripe readers (like the Square device) are actually a fairly generic piece of hardware. They’re not built to work with any particular application, because that’s just not how magnetic stripes work. As far as the reader is concerned, it’s all data. Whether the card is a credit card, driver’s license, or some other magnetic stripe card (like a university ID), the data is encoded on the card in the same manner.
Lauren Weinstein argues that despite the hyperbolic nature of Verifone’s accusations, and their conflict of interest, that there is a legitimate technical point here: credit card data should not be transmitted in the clear between the reader and application. “Credit card reading dongle devices”, as Lauren refers to them, should “encrypt the associated data from end-to-end, so that it is never ‘in the clear’ in a user-accessible manner”. The problem is that that creates a false dichotomy between magnetic stripe cards which happen to be credit cards, and all other magnetic stripe cards. It’s a technological solution to a social problem (that is, the problem of handing your card over to a malicious agent), and those tend not to fare well. A malicious agent who wants to build a skimmer can just as easily build a knock-off of the Square dongle, or use another device entirely. Requiring that apps like Square use a special reader which encrypts the data before transmitting it to the application just doesn’t make sense. There will always be generic magnetic stripe readers out there, and there’s nothing stopping them from reading the data off of a credit card.
If Square’s reader is a ‘skimming device’, then so is every generic magnetic stripe reader out there. Every magnetic stripe reader, like this one, available off-the-shelf, is theoretically a “credit card reading dongle device”. So, should all magnetic stripe readers encrypt their output? How is that meant to work, given that these are generic devices, intended to be used by application developers, tinkerers, and hobbyists for all manner of applications? Or should every magnetic stripe reader have some “credit card mode” where they encrypt their output if the data from the card looks like it came from a credit card? Again, all that does is make application developers’ lives harder, for very little gain in security.
The solution isn’t to attack apps like Square—or, worse, to go after anyone with a generic magnetic strip reader—the solution is for the American banking industry to finally catch up with the rest of the world and implement the EMV standard, and start issuing credit and debit cards with chips. Smart cards can do crypto on the card—a fundamental difference from magnetic stripe cards. It’s simply impossible to secure a magnetic stripe card, because there’s no way to do crypto on the card. All of the data stored on the card will always be available in plaintext. Smart cards, on the other hand, can readily encrypt data between the reader and the application, because they can do crypto on the card. EMV is not without its flaws, but it certainly represents an improvement on the status quo. Verifone’s approach is underhanded, and disguises the real problem. Deploying EMV represents a substantial challenge for the American banking industry, but it is a far better approach than recommending awkward hacks that pretend that generic magnetic stripe card readers do not exist.