Square Debuts New Email Payment System 240
cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."
Ummmm... (Score:5, Insightful)
This has got to be the most insecure payment system ever.
Really? (Score:4, Insightful)
Account details over email and 1-2 business days?
Why not just put cash in an envelope and send USPS? At least that way you can't lost more than the cash you send.
Sounds ready for abuse (Score:5, Insightful)
So the From:, Subject, To:, and Cc: headers are what makes this work?
Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.
Wait.... (Score:3, Insightful)
Sorry, what? (Score:3, Insightful)
And why on Earth would I trust Square?
See, banks have mechanisms in place to do this. And banks are regulated.
Square wants to become a middle-man for these transactions, but they aren't a bank and aren't regulated like one.
Which means when (not if) Square fucks up, you'll be dealing with a company in terms of their EULA which says "we're not a bank, and not actually responsible for anything". With a bank you have some recourse.
Given how video game companies have been faring with security and protecting of this kind of information, my first thought is "how long before they have a security breach, and what recourse will you have".
Sorry, but I'll stick with using banks to transfer money.
Re:Won't take off, but may Rip You Off (Score:5, Insightful)
Drug Deal!
Except Drug Dealers don't keep Bank Accounts. Its a cash and you are carrying business.
This requires you to give Square Your debit card info, and makes your recipient give you THEIR bank details.
Seriously, the NSA couldn't have dreamed up a move invasive scheme. What could possibly go wrong with that?
Left unsaid in the linked article, (and also the Square website) is how square is going to monetize this, other than by
*cough* losing one out of a hundred payments. They claim the service is free. FAQ Here [squareup.com] to both parties. So, how do they finance that, other than getting a piece of the debit card fee? (Senders have to use a Debit card).
One wonders just how much the debit card fee is jacked up to allow Square to assume the risk for this type of service, and handle the deluge of complaints and lost payments claims. And how many will be suckered into handing over their bank info to a 419 email purportedly from Square.
World Plus Dog is rushing to mobile payments, but I'm not so sure this is well thought out.
Re:Ummmm... (Score:4, Insightful)
Training users to click on links in their inbox (Score:5, Insightful)
Re:Really? (Score:5, Insightful)
Sounds like an easy way to do a phishing scam.
Re:Sorry, what? (Score:4, Insightful)
So when you go to a store to buy something, you ask the guy behind the register to follow you to a bank to complete the transaction?
No, I didn't think so. Instead, if you don't use cash everywhere, you probably hand the guy behind the register your credit card. If his register looks iPad shaped (and, in my experience, any new business that has opened in the past two years has registers that are distinctly iPad shaped), then he's processing your credit card through Square or a similar service. So you already trust them.
Re:Won't take off, but may Rip You Off (Score:4, Insightful)
Square requires your debit card info and SQUARE gets the recipients bank account details not the guy paying.
Yes, good catch, that't what I meant to type, but my fingers occasionally get ahead of me.
Still, Square ends up knowing a whole hell of a lot about people who may use the service exactly once.
We can only hope they have good security, because a break-in of their site could cause wide spread
financial chaos.
They have to keep lots of backup, simply to protect themselves and research transactions. Presumably all of their data is heavily encrypted, and they have off-site backups other than the NSA.
Re:Really? (Score:5, Insightful)
We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.
So now can you spoof another e-mail from your co-worker to yourself, CC'ed to square and get more money from him in less than 5 minutes?