Slashdot Mirror

← Back to Stories (view on slashdot.org)

Square Debuts New Email Payment System

Posted by Soulskill on from the all-about-the-benjamins dept.

cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."

53 of 240 comments (clear)

  1. Ummmm... by Anonymous Coward · · Score: 5, Insightful

    This has got to be the most insecure payment system ever.

    1. Re:Ummmm... by Russ1642 · · Score: 4, Informative

      You shouldn't send that kind of account info by email.

    2. Re:Ummmm... by Catskul · · Score: 4, Informative

      You don't send account info via email. Read the article, or even just the summary more carefully.

      --

      Im not here now... Im out KILLING pepperoni
    3. Re:Ummmm... by suutar · · Score: 3, Insightful

      anyone who can intercept the email from square to the recipient can use the link, unless there's a lot more validation than they're mentioning.

    4. Re:Ummmm... by NatasRevol · · Score: 3, Funny

      The NSA can finally finance all the email spying they're doing!

      --
      There are two types of people in the world: Those who crave closure
  2. Really? by mcmonkey · · Score: 4, Insightful

    Account details over email and 1-2 business days?

    Why not just put cash in an envelope and send USPS? At least that way you can't lost more than the cash you send.

    1. Re:Really? by Anonymous Coward · · Score: 4, Informative

      You don't send your account details in the email. They give you a link where you go to provide the details.

    2. Re:Really? by ljw1004 · · Score: 4, Informative

      RTFA. "If this is your first time using the service, Square will email you a link to its service, where you’ll be asked to enter your debit-card information."

    3. Re:Really? by hawky · · Score: 5, Interesting

      We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.

    4. Re:Really? by suutar · · Score: 2

      Keep in mind, Square's been doing "sender of money hands over card info, recipient of money hands over bank account info" for years. It's just that the recipient set up the account first and then met the sender face to face.

    5. Re:Really? by Anonymous Coward · · Score: 5, Insightful

      Sounds like an easy way to do a phishing scam.

    6. Re:Really? by pepty · · Score: 3, Interesting

      Were there debit card fees from the banks, etc?

    7. Re:Really? by n7ytd · · Score: 4, Insightful

      We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.

      So now can you spoof another e-mail from your co-worker to yourself, CC'ed to square and get more money from him in less than 5 minutes?

    8. Re:Really? by cybertears · · Score: 2

      Why hack an email account when spoofing the FROM address is even easier?

    9. Re:Really? by hawky · · Score: 2

      nope, no fees on either side

  3. Interac by neoform · · Score: 5, Interesting

    Isn't this exactly the same thing as an Interac e-Transfer?

    I've been sending money via email for many years this way.

    --
    MABASPLOOM!
    1. Re:Interac by aclarke · · Score: 2

      That's because you're Canadian (I assume). Try to think like an American, because they don't use Interac.

      --

      www.clarke.ca
    2. Re:Interac by Catskul · · Score: 3, Interesting

      There are many systems like this including POP money. The difference AFAICT is that this does not require bank participation.

      --

      Im not here now... Im out KILLING pepperoni
    3. Re:Interac by LikwidCirkel · · Score: 2

      From the summary: "Square asks the sending for their debit card info..."

      That sounds like bank participation to me.

    4. Re:Interac by Catskul · · Score: 2

      The bank doesn't need to sign up for a special program a la the OP's suggestion of Interac e-Transfer. It just uses your debit card functionality.

      --

      Im not here now... Im out KILLING pepperoni
    5. Re:Interac by icebike · · Score: 2

      From the summary: "Square asks the sending for their debit card info..."

      That sounds like bank participation to me.

      Further, Square asks the Recipient for their bank account info.
      That sounds even more like bank participation. Willingly or not.

      How many people are going to receive an email purporting to be from Square offering an amount of money
      which will give them a link to click to post their bank account details, directly into a website run by some 419 scammers?

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Interac by icebike · · Score: 2

      A bank account number is not sufficient to enact a withdrawal in the US either.

      But when combined with other information, its enough to give leverage to some major scammers, forgers, and check kiters, requiring you to spend all sorts of time fending them off, and answering questions.

      For many years a company I worked for published their bank account number because they received a lot of business from Europe and payers liked to do wire transfers for some reason.

      On multiple occasions people would use this number to phony up checks which they would successfully cash, or pay bills or whatever. In each case, our bank denied the payment. In many cases we would get calls from fraud investigators, asking if we knew this person or that person or had ever done business with this merchant 20 states away.

      Now that company, (which I no longer work for) makes their payers request the bank account number in stead of publishing it on their web page, because there is no reason to make it easier for forgers, and having to deal with it takes time, even if they don't get your money.

      If you are so confident that this is not the case in your country, publish details sufficient for someone to send you a wire transfer on some web site, and see how long it takes for you to start getting calls.

      --
      Sig Battery depleted. Reverting to safe mode.
  4. What could possibly go wrong? by Shirogitsune · · Score: 4, Interesting

    Obviously this is a front for the NSA so they can get rid of the traditional means of tracking bank transactions and just lump it all into the haystacks of email data the already collect! Government efficiency at it's finest! Brilliant!!

  5. Sounds ready for abuse by Anonymous Coward · · Score: 5, Insightful

    So the From:, Subject, To:, and Cc: headers are what makes this work?

    Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.

    1. Re:Sounds ready for abuse by Minwee · · Score: 2

      Good point, but all that would do is prompt a confirmation request to be sent back to the "sender", who is either going to realize that he didn't initiate that transaction, or has already given all of his money away to a very helpful friend in Nigeria.

      Either way, you won't be able to fake a complete transaction through Square, who really should have stuck to Final Fantasy instead of trying to reinvent the Interac e-Transfer.

    2. Re:Sounds ready for abuse by hawaiian717 · · Score: 2

      Virtually everyone has secure communication to their email provider these days.

      And virtually nobody has secure communication between email providers. So there's a good chance that at some point along the line, your email is being transmitted across the Internet in the clear. Secure IMAP/POP/SMTP is good for protecting your authentication credentials (password), but if you want to protect the contents of your email, you need an end-to-end solution like PGP or S/MIME.

      --
      End of Line.
  6. Bitcoin by Austrian+Anarchy · · Score: 4, Informative

    I still prefer the Bitcoin schemes. Now, if I only had some bitcoin to toss around :(

    --
    Time Bomber the Book coming soon.
  7. I don't understand how this is new. by LikwidCirkel · · Score: 2

    If they charge you by debit, the assumption is that you need a bank account somewhere. Most bank accounts already allow one to send an "Interac E-Transfer" to any email address for a relatively low fee. I've done it multiple times. Maybe it's just a Canadian thing.

    Why would I want to introduce a third party into this, when I can already do it through my existing bank?

    1. Re:I don't understand how this is new. by Capt.DrumkenBum · · Score: 2

      You US people really need to get with the 21st century.

      --
      If I were God, wouldn't I protect my churches from acts of me?
  8. So can I send myself an email? by gameboyhippo · · Score: 3, Interesting

    What's stopping Eve from sending herself an email from a novice computer user and having said user give out their card info? Since anyone can send an email using any email address, this feels problematic.

  9. Wait.... by Kenja · · Score: 2, Insightful

    So all I need to do is email some anonymous database my credit card information? What could go wrong?

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  10. Sorry, what? by gstoddart · · Score: 2, Insightful

    And why on Earth would I trust Square?

    See, banks have mechanisms in place to do this. And banks are regulated.

    Square wants to become a middle-man for these transactions, but they aren't a bank and aren't regulated like one.

    Which means when (not if) Square fucks up, you'll be dealing with a company in terms of their EULA which says "we're not a bank, and not actually responsible for anything". With a bank you have some recourse.

    Given how video game companies have been faring with security and protecting of this kind of information, my first thought is "how long before they have a security breach, and what recourse will you have".

    Sorry, but I'll stick with using banks to transfer money.

    --
    Lost at C:>. Found at C.
    1. Re:Sorry, what? by ImprovOmega · · Score: 4, Informative

      From what I understand Square is a credit card processing service, which means they fall under certain other regulations. Not quite the same as banks, but certainly not out in the wild west as far as regulations go. I've known several small business owners who used them for credit card payments for a while now and both owners and customers seemed happy enough with the results.

    2. Re:Sorry, what? by SydShamino · · Score: 3, Insightful

      So when you go to a store to buy something, you ask the guy behind the register to follow you to a bank to complete the transaction?

      No, I didn't think so. Instead, if you don't use cash everywhere, you probably hand the guy behind the register your credit card. If his register looks iPad shaped (and, in my experience, any new business that has opened in the past two years has registers that are distinctly iPad shaped), then he's processing your credit card through Square or a similar service. So you already trust them.

      --
      It doesn't hurt to be nice.
  11. Re:Blame Canada by guytoronto · · Score: 2

    It's not secure banking information over email. The email contains a link that takes you to a redemption site. No sensitive information is in the email. Everything is contained on secure servers - just like your bank account.

  12. Ridiculous that it takes a 3rd party by metrix007 · · Score: 4, Informative

    Why does the US have such an antiquated banking system? Hell, a lot of places still need checks because they won't take plastic!

    I've had bank accounts in the UK, Australia, Germany, Canada and the US.

    Canada is basically the US in this context..banks are no better. They do have email money transfers though.

    Which is something every other damn country has. A way to transfer money between bank accounts of individuals securely and free. The only option in the US has been paypal or chase quickpay.

    Not to mention the reliance on checks (ridiculous!) and the problems with ACH fraud. Again, in no other country has my account number been secret information which I have to protect. The worst thing people could do is put money into my account.

    So many issues....

    --
    If you ignore ACs because they are anonymous - you're an idiot.
    1. Re:Ridiculous that it takes a 3rd party by metrix007 · · Score: 2

      I've lived in the US for some time, based in NYC.

      There are still a lot of places that won't take plastic. Rental agencies, for instance.

      --
      If you ignore ACs because they are anonymous - you're an idiot.
  13. Re:Blame Canada by LikwidCirkel · · Score: 2

    No banking information is sent over email with Interac E-Transfer. That would be dumb. The recipient only gets a link and a user-chosen hint for a one-time password. In most cases, one can simply enter a bogus hint and tell the recipient the password over a more secure channel, like face-to-face.

  14. Re:Won't take off, but may Rip You Off by icebike · · Score: 4, Insightful

    Drug Deal!

    Except Drug Dealers don't keep Bank Accounts. Its a cash and you are carrying business.

    This requires you to give Square Your debit card info, and makes your recipient give you THEIR bank details.
    Seriously, the NSA couldn't have dreamed up a move invasive scheme. What could possibly go wrong with that?

    Left unsaid in the linked article, (and also the Square website) is how square is going to monetize this, other than by
    *cough* losing one out of a hundred payments. They claim the service is free. FAQ Here to both parties. So, how do they finance that, other than getting a piece of the debit card fee? (Senders have to use a Debit card).

    One wonders just how much the debit card fee is jacked up to allow Square to assume the risk for this type of service, and handle the deluge of complaints and lost payments claims. And how many will be suckered into handing over their bank info to a 419 email purportedly from Square.

    World Plus Dog is rushing to mobile payments, but I'm not so sure this is well thought out.

    --
    Sig Battery depleted. Reverting to safe mode.
  15. Re:Won't take off by reboot246 · · Score: 2

    I know a lot of people who have the bad habit of sending everything to everybody in their contact list. Wouldn't it be funny if they sent money to dozens of their friends by mistake, and then those friends cc (they never use bcc) to everybody in their contact list and so on?

  16. Interesting angle ... by Anonymous Coward · · Score: 2, Funny

    Interesting idea that Square have come up with.

    This will only be their first step. The next goal will be to have all transactions take place using their own currency denomination, Gil (G). From there, they can bypass the online gambling ban and provide real-time Chocobo Racing streamed into the home.

  17. Training users to click on links in their inbox by Floyd-ATC · · Score: 5, Insightful

    How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]

    --
    Time flies when you don't know what you're doing
    1. Re:Training users to click on links in their inbox by Animats · · Score: 4, Interesting

      How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]

      Big companies are encouraging this, by sending emails that meet all the criteria for phishing emails. I just got a receipt email from Virgin Mobile after making a payment. The path taken by the mail goes through "mh.nextel.m0.net", "oms16.dc1.prod" (which isn't even a valid TLD), and "cmil278.amdocs.com". The mail text is base-64 encoded HTML only, no text version. That just screams "hostile code".

      How are people supposed to recognize phishing emails with legit companies sending crap like that?

      "m0.net" says on their site "This domain is owned by Acxiom Digital, a leading provider of email marketing solutions for Global 2000 enterprises."

  18. Open Relays FTW by Fenixfyre42 · · Score: 5, Funny

    telnet random.openmailrelay.com 25 HELO victim.domain.com MAIL FROM: victim.email@victim.domain.com RCPT TO: dummy.prepaid.card.email@badguy.com DATA CC: cash@square.com SUBJECT: $1,000,000 Here is the payment I promised. . QUIT Profit!

    1. Re:Open Relays FTW by SydShamino · · Score: 2

      So when victim.email@victim.domain.com is asked to validate that he wants to send $1,000,000, and is asked to provide a debit card for the transaction, he'll go along with it because the email says he originated the request?

      --
      It doesn't hurt to be nice.
  19. I have sent you $50! by TheSpoom · · Score: 3, Informative

    Simply click this link and input your debit card details! I promise nothing bad will happen.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  20. Re:Won't take off, but may Rip You Off by icebike · · Score: 3, Insightful

    Square requires your debit card info and SQUARE gets the recipients bank account details not the guy paying.

    Yes, good catch, that't what I meant to type, but my fingers occasionally get ahead of me.

    Still, Square ends up knowing a whole hell of a lot about people who may use the service exactly once.
    We can only hope they have good security, because a break-in of their site could cause wide spread
    financial chaos.

    They have to keep lots of backup, simply to protect themselves and research transactions. Presumably all of their data is heavily encrypted, and they have off-site backups other than the NSA.

    --
    Sig Battery depleted. Reverting to safe mode.
  21. Old News by VortexCortex · · Score: 2


    "Square ... has launched a new payment service called Square Cash."

    AKA: Final Fantasy I thru X

    "The service doesn't require users to sign up or make an account."

    Yep, but they make you grind harder than ever for credits...

  22. Hyperwallet (Canada) by future+assassin · · Score: 2

    in the mid 2000's use to do that with Beam Cash although you needed an account http://www.hyperwallet.com/consumer/help/beam-cash-email-money-transfers.html

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  23. virtual paymend cards not supported by hugetoon · · Score: 2

    I tried a 1$ transfer using a virtual payment card (I can obtain a one time card number on my bank site limited to a specific amount, this is usefull for online purchases). I could not link this card: "Card not supported".
    Too bad, i really wanted to test their service with a spoofed mail after doing first transaction normally.
    There is no way I'll be providing them my real card number.

    Hint: they do not brag about being PCI DSS certified (not even compliant) that certainly means they are not.
    They only say: "You’re safe with us. The privacy and security of your financial information is our top priority." which is not very reassuring to say the least.

    1. Re:virtual paymend cards not supported by vanyel · · Score: 2

      It has to be a debit card; since Paypal stopped doing virtual cards, I don't know of any debit cards that do them any more. I have Discover and Citibank credit cards specifically because they do support them, though that doesn't help here.

      And actually, they do brag about being PCI DSS certified in their "Security" section.

      Which doesn't mitigate the fact that they are setting up a phishing gold mine: "click here to enter your debit card number and receive some free money!"

  24. Just sent twenty bucks. by Seor+Jojoba · · Score: 2

    It works. You have to give them credit - the process is extremely simple. I could see it taking off. From a security perspective, it's not great. But it's also not as bad as some people here are making out. You don't send any information over email other than the email addresses of the sender and receiver, and sender's intent to send $x to seller. Phishers are likely to pattern "you've got money" emails off of these Square emails to people. But these are just another variation on "give me info/money, so I can send you money" scams. Same common sense defenses apply--If you aren't expecting money from somebody, don't give out personal info. And then there are more sophisticated man-in-the-middle attacks combined with spoofing the "you've got money" email or replacing content in it. Those are the ones I'd worry about, but they are also much harder to set up. When you go to your online banking website, do you worry about someone spoofing the whole site (or at least the login) and making the DNS point towards the spoofed site? I do, but not enough to stop using it.

  25. Tested it myself, screenshots. by mediocrist · · Score: 3, Informative

    I sent my girlfriend $5 to try it out. It went down like this.

    Send an email to her composed as such:

    To: girlfriend@gfmail.com
    Cc: cash@square.com
    Subject: $5
    Body: Ladida whatever

    She received the email, and immediately afterwards we both received an email stating I was sending her funds.

    My Email: http://imgur.com/f264wIG
    Her Email: http://imgur.com/F8GhpJ9

    When I hit the link card button, it brought me to a secure site and asked for my debit card #, expiration date and zip code. No name or anything else.
    Once I filled in the info and hit confirm we both received another round of emails.

    Mine: http://imgur.com/vDFnETA
    Hers: http://imgur.com/nEaJdd5

    She clicked on the link to deposit cash and was given the same screen asking for a debit card number, exp. date and zip code. Nothing else.
    After she confirmed, another round of emails went out.

    Mine: http://imgur.com/4shFvyz
    Hers: http://imgur.com/88Xprw4

    The charges appeared instantly on our two accounts as follows.

    Mine: http://imgur.com/bNHDB5u
    Hers: http://imgur.com/Pz6V7On

    I sent another $5 to her account to catch screens from the website. Turns out when you're already linked an account to your email, you just get an email asking to confirm instead of having to relink your bank account. Once you hit the confirm button, money is sent.

    My confirm email: http://imgur.com/vxoiS7t

    She received an email waiting for me to confirm and an email saying that funds were deposited with the same text as before. She didn't have to do anything for the second payment and it was deposited into her account once i confirmed.

    There were no charges or fees at all.