Slashdot Mirror
Square Debuts New Email Payment System
cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."
This has got to be the most insecure payment system ever.
Account details over email and 1-2 business days?
Why not just put cash in an envelope and send USPS? At least that way you can't lost more than the cash you send.
Isn't this exactly the same thing as an Interac e-Transfer?
I've been sending money via email for many years this way.
MABASPLOOM!
Obviously this is a front for the NSA so they can get rid of the traditional means of tracking bank transactions and just lump it all into the haystacks of email data the already collect! Government efficiency at it's finest! Brilliant!!
So the From:, Subject, To:, and Cc: headers are what makes this work?
Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.
I still prefer the Bitcoin schemes. Now, if I only had some bitcoin to toss around :(
Time Bomber the Book coming soon.
What's stopping Eve from sending herself an email from a novice computer user and having said user give out their card info? Since anyone can send an email using any email address, this feels problematic.
Why does the US have such an antiquated banking system? Hell, a lot of places still need checks because they won't take plastic!
I've had bank accounts in the UK, Australia, Germany, Canada and the US.
Canada is basically the US in this context..banks are no better. They do have email money transfers though.
Which is something every other damn country has. A way to transfer money between bank accounts of individuals securely and free. The only option in the US has been paypal or chase quickpay.
Not to mention the reliance on checks (ridiculous!) and the problems with ACH fraud. Again, in no other country has my account number been secret information which I have to protect. The worst thing people could do is put money into my account.
So many issues....
If you ignore ACs because they are anonymous - you're an idiot.
Drug Deal!
Except Drug Dealers don't keep Bank Accounts. Its a cash and you are carrying business.
This requires you to give Square Your debit card info, and makes your recipient give you THEIR bank details.
Seriously, the NSA couldn't have dreamed up a move invasive scheme. What could possibly go wrong with that?
Left unsaid in the linked article, (and also the Square website) is how square is going to monetize this, other than by
*cough* losing one out of a hundred payments. They claim the service is free. FAQ Here to both parties. So, how do they finance that, other than getting a piece of the debit card fee? (Senders have to use a Debit card).
One wonders just how much the debit card fee is jacked up to allow Square to assume the risk for this type of service, and handle the deluge of complaints and lost payments claims. And how many will be suckered into handing over their bank info to a 419 email purportedly from Square.
World Plus Dog is rushing to mobile payments, but I'm not so sure this is well thought out.
Sig Battery depleted. Reverting to safe mode.
From what I understand Square is a credit card processing service, which means they fall under certain other regulations. Not quite the same as banks, but certainly not out in the wild west as far as regulations go. I've known several small business owners who used them for credit card payments for a while now and both owners and customers seemed happy enough with the results.
How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]
Time flies when you don't know what you're doing
telnet random.openmailrelay.com 25 HELO victim.domain.com MAIL FROM: victim.email@victim.domain.com RCPT TO: dummy.prepaid.card.email@badguy.com DATA CC: cash@square.com SUBJECT: $1,000,000 Here is the payment I promised. . QUIT Profit!
Simply click this link and input your debit card details! I promise nothing bad will happen.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
So when you go to a store to buy something, you ask the guy behind the register to follow you to a bank to complete the transaction?
No, I didn't think so. Instead, if you don't use cash everywhere, you probably hand the guy behind the register your credit card. If his register looks iPad shaped (and, in my experience, any new business that has opened in the past two years has registers that are distinctly iPad shaped), then he's processing your credit card through Square or a similar service. So you already trust them.
It doesn't hurt to be nice.
Square requires your debit card info and SQUARE gets the recipients bank account details not the guy paying.
Yes, good catch, that't what I meant to type, but my fingers occasionally get ahead of me.
Still, Square ends up knowing a whole hell of a lot about people who may use the service exactly once.
We can only hope they have good security, because a break-in of their site could cause wide spread
financial chaos.
They have to keep lots of backup, simply to protect themselves and research transactions. Presumably all of their data is heavily encrypted, and they have off-site backups other than the NSA.
Sig Battery depleted. Reverting to safe mode.
I sent my girlfriend $5 to try it out. It went down like this.
Send an email to her composed as such:
To: girlfriend@gfmail.com
Cc: cash@square.com
Subject: $5
Body: Ladida whatever
She received the email, and immediately afterwards we both received an email stating I was sending her funds.
My Email: http://imgur.com/f264wIG
Her Email: http://imgur.com/F8GhpJ9
When I hit the link card button, it brought me to a secure site and asked for my debit card #, expiration date and zip code. No name or anything else.
Once I filled in the info and hit confirm we both received another round of emails.
Mine: http://imgur.com/vDFnETA
Hers: http://imgur.com/nEaJdd5
She clicked on the link to deposit cash and was given the same screen asking for a debit card number, exp. date and zip code. Nothing else.
After she confirmed, another round of emails went out.
Mine: http://imgur.com/4shFvyz
Hers: http://imgur.com/88Xprw4
The charges appeared instantly on our two accounts as follows.
Mine: http://imgur.com/bNHDB5u
Hers: http://imgur.com/Pz6V7On
I sent another $5 to her account to catch screens from the website. Turns out when you're already linked an account to your email, you just get an email asking to confirm instead of having to relink your bank account. Once you hit the confirm button, money is sent.
My confirm email: http://imgur.com/vxoiS7t
She received an email waiting for me to confirm and an email saying that funds were deposited with the same text as before. She didn't have to do anything for the second payment and it was deposited into her account once i confirmed.
There were no charges or fees at all.