VeriFone's App not search? square Think again.

Controversy over the VeriFone's attempt to call outside the square to be reignited the grid. To recap: earlier this month VeriFone identified potential vulnerabilities with rival mobile payment system by Square and card reader and released to the public for iPhone app demo showed how square system can be used to steal personal information. VeriFone claimed at the time that the application actually couldn't find credit cards — saying it was only as a demo, and eventually remove the download link. New evidence, however, shows that the application to find and store credit card data and lets you easily accessible for users.

Justin w. Clarke, independent security consultant based in San Francisco, was suspected of VeriFone's claim that the application cannot be used to actually search for credit cards and decided to test the installation by installing and using the application demo released by the company on its own iPadusing its own square reader.

He discovered that while the application is not displayed for itself concerning the details of your credit card in some in use, the application log all information, including credit card number, expiration date and magnetic track 2 data in its entirety. This information is stored in the console device iOS, where they can be charged by connecting the device to the Mac via USB, and access to Apple's Xcode Developer tools (which is now available for all Mac App Store for $ 4.99), or by using the configuration utilityalso Official Apple program that allows access to the console device iOS iPhone free. And although the VeriFone removed links to download the application from their site, it is not difficult to find copies of mirrored in other hosting sites around the web.

So what does this mean for VeriFone? According to Clarke, it is possible that the application is in breach of payment card Standard, which requires the following application payment:

1.1.1 After obtaining the authorisation does not store the full contents of any track from the magnetic stripe (on the back of the card, the equivalent of the data contained on the chip, or elsewhere). This data is also known as the full path, track, track 1, track 2, and magnetic data.

Of course, your application is only a demo, so it is likely to be exempted from this requirement, but raised anew the possibility that Evan Brown Internet cases grew in our earlier piece – that one "consider whether the victim of a theft committed by this tool could sue the VeriFone for one may result in the theft of" contributory "."

A spokesman reiterated that the VeriFone "this application contains no source code", but was not able to comment at the time of posting on Clarke's ability to access info collected by the application. I'll update the post with further comments to it reaches.

At the same time, Square rejected all along the seriousness of the VeriFone on claims relating to its safeguards, arguing that any direct transactions involving credit cards includes only the risk of theft as a VeriFone's demo app , and this is true, as mentions, which date the number of the square and the expiry of the credit card are easily obtained by other means. But what is noted here is that claims that his version of VeriFone application cannot be used for the purposes of malicious unmodified may be invalid. If so, the reputation, which stands to lose most of its attempt to dyskredytuje rival may be your own VeriFone.

Related content from GigaOM Pro (subscription req):

window. fbAsyncInit = function () {FB. init ({appId: 180650338636285, status: set to true, the cookie: TRUE, xfbml: true});FB.API ({method: ' links ' urls getStats.: ' http://gigaom.com/apple/verifones-square-app-cant-skim-think-again/'}, function (response) {jQuery (' # roots-fb-count-button ') .html (response [0]. commentsbox_count);}); /* Switch//only over on FB, if you are logged on to FBFB. getLoginStatus (function (response) {If (response.write session || response.status = "notConnected") {jQuery (' # roots-tabs '); tabs (' select ', 1);}});*/}; (function ($) {$ (window). load (function () {var e = document.getElementById createElement ("script"); e type = ' text/javascript '; e. src = document.location.protocol + '//connect.facebook.net/en_US/all.js '; e. async = true; document.getElementById ('fb-root ') appendChild (e);});}(jQuery));

var _comscore = _comscore || []; _comscore. push ({c1: "2", c2: "6036014"}); (function () {var s = document.getElementById createElement ("script"), el = document.getElementById getElementsByTagName ("script") [0]; s. async = true; s. src = (document.location.protocol == ' https: '? 'https://SB ":" ") + http://b." scorecardresearch.com/beacon.js "; El.parentNode.insertBefore (s, el); })();

jQuery (function ($) {$ (' # brand-explorer a, # navigation a. widget-wrap and '). click (function () {//tell analyses save eventtry {_gaq. push ([' _trackEvent ', id this. parents (' [id! = ""]: first ') get (0), "clicked", (this text () || this .children ('img: first '). attr ('alt '))]);}catch (error) {}//Pause to allow google to date script runvar = new date (); var CURDATE = null; do {CURDATE = new date();} while (CURDATE Date