Slashdot Mirror
Square Debuts New Email Payment System
cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."
This has got to be the most insecure payment system ever.
Account details over email and 1-2 business days?
Why not just put cash in an envelope and send USPS? At least that way you can't lost more than the cash you send.
So the From:, Subject, To:, and Cc: headers are what makes this work?
Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.
So all I need to do is email some anonymous database my credit card information? What could go wrong?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
And why on Earth would I trust Square?
See, banks have mechanisms in place to do this. And banks are regulated.
Square wants to become a middle-man for these transactions, but they aren't a bank and aren't regulated like one.
Which means when (not if) Square fucks up, you'll be dealing with a company in terms of their EULA which says "we're not a bank, and not actually responsible for anything". With a bank you have some recourse.
Given how video game companies have been faring with security and protecting of this kind of information, my first thought is "how long before they have a security breach, and what recourse will you have".
Sorry, but I'll stick with using banks to transfer money.
Lost at C:>. Found at C.
Drug Deal!
Except Drug Dealers don't keep Bank Accounts. Its a cash and you are carrying business.
This requires you to give Square Your debit card info, and makes your recipient give you THEIR bank details.
Seriously, the NSA couldn't have dreamed up a move invasive scheme. What could possibly go wrong with that?
Left unsaid in the linked article, (and also the Square website) is how square is going to monetize this, other than by
*cough* losing one out of a hundred payments. They claim the service is free. FAQ Here to both parties. So, how do they finance that, other than getting a piece of the debit card fee? (Senders have to use a Debit card).
One wonders just how much the debit card fee is jacked up to allow Square to assume the risk for this type of service, and handle the deluge of complaints and lost payments claims. And how many will be suckered into handing over their bank info to a 419 email purportedly from Square.
World Plus Dog is rushing to mobile payments, but I'm not so sure this is well thought out.
Sig Battery depleted. Reverting to safe mode.
How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]
Time flies when you don't know what you're doing
Square requires your debit card info and SQUARE gets the recipients bank account details not the guy paying.
Yes, good catch, that't what I meant to type, but my fingers occasionally get ahead of me.
Still, Square ends up knowing a whole hell of a lot about people who may use the service exactly once.
We can only hope they have good security, because a break-in of their site could cause wide spread
financial chaos.
They have to keep lots of backup, simply to protect themselves and research transactions. Presumably all of their data is heavily encrypted, and they have off-site backups other than the NSA.
Sig Battery depleted. Reverting to safe mode.