Primary links

Prediction: 2010 Insecure iPhone app of the year: Square

credit card phone adaptorOK, so I stretch a little.  I'm sure there's nothing insecure about Square's upcoming credit card processing app, itself.  I'm sure they encrypt communications back to their servers and the merchant banks, and as they're a new company they probably properly encrypt PCI data in their databases. They've thought of functionality in their app like displaying a cardholder's photo to minimize buyer-side fraud.  But by creating such a simple useful service for "casual" credit card processing, they've opened a whole new field of potential malevolence.

How does a buyer tell a legitimate credit card processor from a scammer?

Square, founded by Twitter inventor Jack Dorsey (because, you know, one good thing follows another), floated onto my radar this week after launching and getting various media coverage. Congrats! Square claims a lofty focus of bringing "immediacy, transparency, and approachability to the world of payments."

It's that approachability part that scammers are going to love.

In a nutshell, their technology seems to consist of a credit card reader which you plug into your mobile phone, plus an app to interface between the reader and their servers.  So the idea is you tell Mr. customer that they owe you money, they offer to pay with credit card, you swipe it through your nifty cell phone, they sign, both parties leave happy, fullfilled, and in awe of that immediate, transparent transaction.

Grab yourself an iPhone development kit, a credit card reader for your iPhone (what, you don't think it's going to be hard to find one of those by mid-2010, do you?) spend a day or two coding and then head down to your favorite hip restaurant.  Dress so you look like one of the wait staff, head down near close - give your victims time enough to have a few drinks and some good food.  Wander up to a table working on dessert, smile and explain that their server went home sick without saying goodbye but put their final course on the house.  But unfortunately we're wrapping things up, would you terribly mind paying the bill now so we can close the books for the night?  Shouldn't take two seconds, I'll just swipe your card...

What's that? You'd like to split the bill across 3 credit cards? No problem!

The use cases are endless.  Bravo, Square! You've just made it socially acceptable for a complete stranger to ask "can I see your credit card for a moment?" and have a significant chance of his complying.