Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Square’s mobile payments for Starbucks goes live today

Those who have downloaded Square’s Wallet app for iOS or Android will, from today, be able to pay for coffee via their smartphone in 7000 Starbucks stores
Those who have downloaded Square’s Wallet app for iOS or Android will, from today, be able to pay for coffee via their smartphone in 7000 Starbucks stores

Yesterday, however, Pat Carroll, CEO of ValidSoft, warned the Cartes 2012 conference (Paris) that, “The rush to grab a share of the [mobile wallet] market has led to compromised security, highlighting the need for the industry to find a robust security solution.” It should be, he said, a test of endurance rather than a sprint. “The goal should always be to make enrollment, activations and transactions safe, but at the same time not to compromise the customer experience with overly complicated secured procedures. There is a delicate balance to be met if the mobile wallet is to be a secured as well as a commercial success.”

He was not specifically talking about Square – but it is certainly worth considering the security implications. “Square Wallet,” Geoff Casely, MD EMEA of mobile security firm NQ Mobile, told Infosecurity, “uses an app/credit card reader dongle. It uses PIN sign-ins – which could be compromised by shoulder-surfing, or a brute-force or dictionary attack. And what happens if a mobile device or tablet is stolen, and the app and dongle misused?”

He is concerned that the card reader dongle doesn’t currently encrypt the card information when transferring it to the Square app on the device. “It isn’t clear,” he adds, “whether encryption will be deployed with the Starbucks launch.”

Casely notes that the Square mobile payment system was hacked back in February 2012, when researchers claimed that you could transfer funds between two Square accounts without the dongle. Now his concern is for the future. “Cyber criminals could well look to create a fake Square app – obtaining a credit card dongle for mobile is easy on dark web forums,” he warned. “This could be used to collect card data from the reader (no transaction is processed) to create cloned cards. The CVV number (the security code) isn’t collected if swiped – which is applicable to all card processing terminals.”

These are theoretical problems. But with McKinsey’s Global Mobile Payments Consumer Survey (June 2012) predicting that by 2013, almost 50% of us will use mobile payments at least once per week, it is worth pausing to consider the issues.

What’s Hot on Infosecurity Magazine?