Forgot your password?
typodupeerror
The Almighty Buck Communications

Square Debuts New Email Payment System 240

Posted by Soulskill
from the all-about-the-benjamins dept.
cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."
This discussion has been archived. No new comments can be posted.

Square Debuts New Email Payment System

Comments Filter:
  • Ummmm... (Score:5, Insightful)

    by Anonymous Coward on Wednesday October 16, 2013 @01:04PM (#45145443)

    This has got to be the most insecure payment system ever.

  • Really? (Score:4, Insightful)

    by mcmonkey (96054) on Wednesday October 16, 2013 @01:04PM (#45145451) Homepage

    Account details over email and 1-2 business days?

    Why not just put cash in an envelope and send USPS? At least that way you can't lost more than the cash you send.

    • Re:Really? (Score:4, Informative)

      by Anonymous Coward on Wednesday October 16, 2013 @01:13PM (#45145541)

      You don't send your account details in the email. They give you a link where you go to provide the details.

    • by Catskul (323619)

      You like dealing with physical mail, and cash? Good for you. Most people don't.

    • Re:Really? (Score:5, Informative)

      by ljw1004 (764174) on Wednesday October 16, 2013 @01:30PM (#45145735)

      RTFA. "If this is your first time using the service, Square will email you a link to its service, where you’ll be asked to enter your debit-card information."

    • by icebike (68054)

      Exactly.

      You have to have an inordinate amount of trust in Square to use this service from EITHER end.

      Sender hands over Debit Card info.
      Receiver hands over BANK Account info.
      Really?

      Much as people love to hate PayPal, their process is more reliable.
      Paypal offers a Paypal balance backed Debit Card if you want to fund the kid at college without
      co-signing a credit card application.
      Even Google will transfer money for you these days.

      • by suutar (1860506)
        Keep in mind, Square's been doing "sender of money hands over card info, recipient of money hands over bank account info" for years. It's just that the recipient set up the account first and then met the sender face to face.
        • by tlhIngan (30335)

          Question - is it debit card only? The sender can't use a credit card?

          That is one of the reasons why Square is good, and why Paypal is popular - you can just use your credit card and not debit card...

          I understand debit for receiving payments, but sending them?

          • by Kalriath (849904)

            To get away with the "no fees", they really can't accept credit cards, and have to hope that the interest on the money they hold for 2 days makes up for the interchange on the debit transaction.

      • by shaitand (626655)
        Both the sender and recipient have to provide their information to Paypal and Google for their services as well.

        The law is set up in such a way that all money exchangers are required to get identifying information from you. But even if they weren't, you have to provide a source and destination for the funds to get them in and out of the service.
    • Re:Really? (Score:5, Interesting)

      by hawky (14175) on Wednesday October 16, 2013 @01:46PM (#45145905) Homepage

      We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.

      • Re:Really? (Score:4, Interesting)

        by pepty (1976012) on Wednesday October 16, 2013 @02:37PM (#45146331)
        Were there debit card fees from the banks, etc?
      • Re:Really? (Score:5, Insightful)

        by n7ytd (230708) on Wednesday October 16, 2013 @03:36PM (#45146749)

        We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.

        So now can you spoof another e-mail from your co-worker to yourself, CC'ed to square and get more money from him in less than 5 minutes?

    • 1) Account details are not sent over e-mail. You simply CC Square on an e-mail that you send to the recipient with the amount of the transaction in the subject line. Square then withdraws that amount from your account (which you've previously configured with them, or else which you're prompted to configure at their site before the payment will proceed) and sends the recipient an e-mail so that they can redeem it. Their app is basically a front-end for doing the exact same thing.

      2) Sending stuff via snail ma

  • Interac (Score:5, Interesting)

    by neoform (551705) <djneoform@gmail.com> on Wednesday October 16, 2013 @01:08PM (#45145489) Homepage

    Isn't this exactly the same thing as an Interac e-Transfer [wikipedia.org]?

    I've been sending money via email for many years this way.

    • by aclarke (307017)
      That's because you're Canadian (I assume). Try to think like an American, because they don't use Interac.
      • by neoform (551705)

        I guess I never really noticed that this was a Canadian specific thing. Seems I wrongfully assumed the US banking system had something similar.

    • Re:Interac (Score:4, Interesting)

      by Catskul (323619) on Wednesday October 16, 2013 @01:18PM (#45145601) Homepage

      There are many systems like this including POP money. The difference AFAICT is that this does not require bank participation.

      • From the summary: "Square asks the sending for their debit card info..."

        That sounds like bank participation to me.
        • by Catskul (323619)

          The bank doesn't need to sign up for a special program a la the OP's suggestion of Interac e-Transfer. It just uses your debit card functionality.

        • by icebike (68054)

          From the summary: "Square asks the sending for their debit card info..."

          That sounds like bank participation to me.

          Further, Square asks the Recipient for their bank account info.
          That sounds even more like bank participation. Willingly or not.

          How many people are going to receive an email purporting to be from Square offering an amount of money
          which will give them a link to click to post their bank account details, directly into a website run by some 419 scammers?

  • by Shirogitsune (1810950) on Wednesday October 16, 2013 @01:08PM (#45145491) Homepage
    Obviously this is a front for the NSA so they can get rid of the traditional means of tracking bank transactions and just lump it all into the haystacks of email data the already collect! Government efficiency at it's finest! Brilliant!!
  • by Anonymous Coward on Wednesday October 16, 2013 @01:08PM (#45145493)

    So the From:, Subject, To:, and Cc: headers are what makes this work?

    Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.

  • We've been able to do this in Canada for quite a while now using Interac e-Transfer. http://www.interac.ca/en/interac-etransfer/etransfer-detail [interac.ca]

    It's incredibly convenient, and only takes a few hours to transfer funds.
  • Bitcoin (Score:5, Informative)

    by Austrian Anarchy (3010653) on Wednesday October 16, 2013 @01:12PM (#45145523) Homepage Journal
    I still prefer the Bitcoin schemes. Now, if I only had some bitcoin to toss around :(
    • by PRMan (959735)
      Why would you get rid of your precious bitcoins this week when they are going up, up, up. Meanwhile, the US dollar may be in trouble really soon...
  • by LikwidCirkel (1542097) on Wednesday October 16, 2013 @01:12PM (#45145527)
    If they charge you by debit, the assumption is that you need a bank account somewhere. Most bank accounts already allow one to send an "Interac E-Transfer" to any email address for a relatively low fee. I've done it multiple times. Maybe it's just a Canadian thing.

    Why would I want to introduce a third party into this, when I can already do it through my existing bank?
  • by gameboyhippo (827141) on Wednesday October 16, 2013 @01:15PM (#45145575) Journal

    What's stopping Eve from sending herself an email from a novice computer user and having said user give out their card info? Since anyone can send an email using any email address, this feels problematic.

    • It certainly opens up the door for phishing scams where you spam Square with spoofed header transfer requests and hope that some percentage of people who get the legit emails from Square fill out the form and complete the transfer. But in and of itself it is not any more risky that Paypal or giving out your credit card info over SSL to a trusted company.
  • Wait.... (Score:3, Insightful)

    by Kenja (541830) on Wednesday October 16, 2013 @01:16PM (#45145587)
    So all I need to do is email some anonymous database my credit card information? What could go wrong?
  • Sorry, what? (Score:3, Insightful)

    by gstoddart (321705) on Wednesday October 16, 2013 @01:19PM (#45145611) Homepage

    And why on Earth would I trust Square?

    See, banks have mechanisms in place to do this. And banks are regulated.

    Square wants to become a middle-man for these transactions, but they aren't a bank and aren't regulated like one.

    Which means when (not if) Square fucks up, you'll be dealing with a company in terms of their EULA which says "we're not a bank, and not actually responsible for anything". With a bank you have some recourse.

    Given how video game companies have been faring with security and protecting of this kind of information, my first thought is "how long before they have a security breach, and what recourse will you have".

    Sorry, but I'll stick with using banks to transfer money.

    • Re:Sorry, what? (Score:5, Informative)

      by ImprovOmega (744717) on Wednesday October 16, 2013 @01:37PM (#45145807)
      From what I understand Square is a credit card processing service, which means they fall under certain other regulations. Not quite the same as banks, but certainly not out in the wild west as far as regulations go. I've known several small business owners who used them for credit card payments for a while now and both owners and customers seemed happy enough with the results.
      • Given how video game companies have been faring

        From what I understand Square is a credit card processing service

        I think it might have been a pun on Square Enix, the company behind Rad Racer and Chocobo Racing.

    • Re:Sorry, what? (Score:4, Insightful)

      by SydShamino (547793) on Wednesday October 16, 2013 @02:12PM (#45146097)

      So when you go to a store to buy something, you ask the guy behind the register to follow you to a bank to complete the transaction?

      No, I didn't think so. Instead, if you don't use cash everywhere, you probably hand the guy behind the register your credit card. If his register looks iPad shaped (and, in my experience, any new business that has opened in the past two years has registers that are distinctly iPad shaped), then he's processing your credit card through Square or a similar service. So you already trust them.

  • by metrix007 (200091) on Wednesday October 16, 2013 @01:21PM (#45145643)

    Why does the US have such an antiquated banking system? Hell, a lot of places still need checks because they won't take plastic!

    I've had bank accounts in the UK, Australia, Germany, Canada and the US.

    Canada is basically the US in this context..banks are no better. They do have email money transfers though.

    Which is something every other damn country has. A way to transfer money between bank accounts of individuals securely and free. The only option in the US has been paypal or chase quickpay.

    Not to mention the reliance on checks (ridiculous!) and the problems with ACH fraud. Again, in no other country has my account number been secret information which I have to protect. The worst thing people could do is put money into my account.

    So many issues....

    • Hell, a lot of places still need checks because they won't take plastic!

      What part of the US are you visiting? Even traveling food trucks take plastic nowadays, unless you're out in the middle of the Carolina High Desert or the Kentucky Jungles or someplace.

      • by metrix007 (200091)

        I've lived in the US for some time, based in NYC.

        There are still a lot of places that won't take plastic. Rental agencies, for instance.

        • What are you trying to rent? I've rented everything from cars to tuxes using a credit card, never cash. The only rentals that I imagine are a cash-only service involve illicits. NYC is different from the rest of the country. Here in Texas, even the taco trucks take credit card (alongside U.S. cash, and sometimes pesos).

          • Gee, I dunno. When someone talks about paying rent, you think they're talking about cars and tuxes?

            Many people rent a residence. To live in. As shelter. Apparently this is uncommon in Texas?
    • by PRMan (959735)
      Because the banks are used to getting massive fees and delaying all payments for 3 days. Why should they change anything?
    • by jader3rd (2222716)

      Why does the US have such an antiquated banking system?

      Because it works and the votes to change it didn't make the majority which was needed to change the system. The Invisible Plumbing Of Our Economy [npr.org] is a really good listen and answers your question pretty thoroughly. In the IK there was a mandate from the government to speed things up. Given all that's happened with the Great Recession it's apparent that the US government doesn't have the power to mandate anything to the banks.

  • by Anonymous Coward

    Interesting idea that Square have come up with.

    This will only be their first step. The next goal will be to have all transactions take place using their own currency denomination, Gil (G). From there, they can bypass the online gambling ban and provide real-time Chocobo Racing streamed into the home.

  • by Floyd-ATC (2619991) on Wednesday October 16, 2013 @01:43PM (#45145869) Homepage
    How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]
    • by Animats (122034) on Wednesday October 16, 2013 @02:30PM (#45146259) Homepage

      How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]

      Big companies are encouraging this, by sending emails that meet all the criteria for phishing emails. I just got a receipt email from Virgin Mobile after making a payment. The path taken by the mail goes through "mh.nextel.m0.net", "oms16.dc1.prod" (which isn't even a valid TLD), and "cmil278.amdocs.com". The mail text is base-64 encoded HTML only, no text version. That just screams "hostile code".

      How are people supposed to recognize phishing emails with legit companies sending crap like that?

      "m0.net" says on their site "This domain is owned by Acxiom Digital, a leading provider of email marketing solutions for Global 2000 enterprises."

  • by Fenixfyre42 (993575) on Wednesday October 16, 2013 @01:49PM (#45145929)
    telnet random.openmailrelay.com 25 HELO victim.domain.com MAIL FROM: victim.email@victim.domain.com RCPT TO: dummy.prepaid.card.email@badguy.com DATA CC: cash@square.com SUBJECT: $1,000,000 Here is the payment I promised. . QUIT Profit!
    • So when victim.email@victim.domain.com is asked to validate that he wants to send $1,000,000, and is asked to provide a debit card for the transaction, he'll go along with it because the email says he originated the request?

  • To use this system, I get an email, purportedly from Square, asking me for my debit card information. What could possibly go wrong?

    And could someone please tell me why we can't just do bank-to-bank transfers like they do in Europe? We're getting closer now. Through B of A, I can send money to a phone # or email address (is this just PopMoney?), but I've never tested the UX on that to see if it's a pain in the ass for the recipient.

    • by jader3rd (2222716)

      And could someone please tell me why we can't just do bank-to-bank transfers like they do in Europe?

      Because all banks have an interface to the clearing house, and the clearing house was designed to replace guys driving up with trucks full of checks and swapping bags, so the code in the clearing house was designed around the model of every player showing up once a day with a batch of transactions and swapping information. The banks wouldn't make any money by doing faster transfers to their competitors, so why would they change?

      • The banks wouldn't make any money by doing faster transfers to their competitors, so why would they change?

        Uhh, maybe because people want features that make their lives easier, and people will bank with banks that give them what they want?

        Bank of America is a great example. They give me free payroll services, free business remote deposit capture, next business day deposit funds availability, and a platform that integrates all of the features seamlessly. Well, guess what, I do all of my business banking with them because they make my life easier with crap that basically costs them nothing.

        And because everything i

  • I don't have a debit card - and never will. They're evil, and unnecessary/stupid for people that have a CC and pay it off every month...

    • You can't get cash for free out of your credit card. You can at almost every store that takes debit cards, for no extra effort or fee.

    • by xaxa (988988)

      I don't have a debit card - and never will. They're evil, and unnecessary/stupid for people that have a CC and pay it off every month...

      The merchant's fees for a debit card tend to be fixed, but for a credit card they're a percentage (I think this is the same in the US as it is here). There's also no limit beyond the amount in the account, and it's much more difficult to reverse the transaction, i.e. more trusted by the merchant.

      If I were buying a car, I'd use a debit card (my credit limit is £3000, though they'd probably increase it if I asked). I paid the deposit to rent this flat using a debit card. Airlines usually charge a fee

      • I don't have a debit card - and never will. They're evil, and unnecessary/stupid for people that have a CC and pay it off every month...

        The merchant's fees for a debit card tend to be fixed, but for a credit card they're a percentage (I think this is the same in the US as it is here). There's also no limit beyond the amount in the account, and it's much more difficult to reverse the transaction, i.e. more trusted by the merchant.

        If I were buying a car, I'd use a debit card (my credit limit is £3000, though they'd probably increase it if I asked). I paid the deposit to rent this flat using a debit card. Airlines usually charge a fee for paying by credit card, which they don't charge if paying by debit card.

        All probably true, but your account can't get drained with a CC and you can simply challenge a bad expense on your CC statement w/o having to pay for it while it's under review (and other CC protections are at least, if not better, than for a DC). While you have to ask (beg) your bank to get your funds back stolen with a DC and handle any bounced payments, etc... (which a nice bank *might* handle and waive fees) - I don't like that. You also get a one-month float on your CC charges.

        I have a no-fee CC and

    • by black3d (1648913)

      The opposite tends to be true.

      If you have money to pay off the CC, then the credit card is unnecessary and stupid. Why would you need to maintain a line of credit just to pay it off with cash you already have? This is where a debit card's perfect. It's a credit card you can use everywhere and costs you less to run. While most online vendors may charge you a credit card fee even for using a debit card, almost no retailer ever will. To them, it's just an EFTPOS card. You gain the convenience of a credit card

  • I have sent you $50! (Score:4, Informative)

    by TheSpoom (715771) <slashdot@@@uberm00...net> on Wednesday October 16, 2013 @02:08PM (#45146073) Homepage Journal

    Simply click this link and input your debit card details! I promise nothing bad will happen.

  • What prevents someone from spoofing an e-mail from you to send themself money?

    Let's say you meet up with some guy in a parking lot to conduct some sort of craigslist transaction. You agree to pay him using Square and you e-mail him the cash. At this point he knows you have a debit card linked to your Square account, so what prevents him from forging an e-mail from the e-mail address you used to send him cash, to him, CC'ing cash@square.com and putting 5000 in the subject line? Will Square then deduct
  • by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Wednesday October 16, 2013 @03:38PM (#45146775)


    "Square ... has launched a new payment service called Square Cash."

    AKA: Final Fantasy I thru X

    "The service doesn't require users to sign up or make an account."

    Yep, but they make you grind harder than ever for credits...

  • by future assassin (639396) on Wednesday October 16, 2013 @03:41PM (#45146797) Homepage

    in the mid 2000's use to do that with Beam Cash although you needed an account http://www.hyperwallet.com/consumer/help/beam-cash-email-money-transfers.html [hyperwallet.com]

  • by hugetoon (766694) on Wednesday October 16, 2013 @04:12PM (#45147073)

    I tried a 1$ transfer using a virtual payment card (I can obtain a one time card number on my bank site limited to a specific amount, this is usefull for online purchases). I could not link this card: "Card not supported".
    Too bad, i really wanted to test their service with a spoofed mail after doing first transaction normally.
    There is no way I'll be providing them my real card number.

    Hint: they do not brag about being PCI DSS certified (not even compliant) that certainly means they are not.
    They only say: "You’re safe with us. The privacy and security of your financial information is our top priority." which is not very reassuring to say the least.

    • by vanyel (28049) *

      It has to be a debit card; since Paypal stopped doing virtual cards, I don't know of any debit cards that do them any more. I have Discover and Citibank credit cards specifically because they do support them, though that doesn't help here.

      And actually, they do brag about being PCI DSS certified in their "Security" section.

      Which doesn't mitigate the fact that they are setting up a phishing gold mine: "click here to enter your debit card number and receive some free money!"

  • by Seor Jojoba (519752) on Wednesday October 16, 2013 @05:58PM (#45148013) Homepage
    It works. You have to give them credit - the process is extremely simple. I could see it taking off. From a security perspective, it's not great. But it's also not as bad as some people here are making out. You don't send any information over email other than the email addresses of the sender and receiver, and sender's intent to send $x to seller. Phishers are likely to pattern "you've got money" emails off of these Square emails to people. But these are just another variation on "give me info/money, so I can send you money" scams. Same common sense defenses apply--If you aren't expecting money from somebody, don't give out personal info. And then there are more sophisticated man-in-the-middle attacks combined with spoofing the "you've got money" email or replacing content in it. Those are the ones I'd worry about, but they are also much harder to set up. When you go to your online banking website, do you worry about someone spoofing the whole site (or at least the login) and making the DNS point towards the spoofed site? I do, but not enough to stop using it.
  • by mediocrist (3399979) on Wednesday October 16, 2013 @08:18PM (#45148885)
    I sent my girlfriend $5 to try it out. It went down like this.

    Send an email to her composed as such:

    To: girlfriend@gfmail.com
    Cc: cash@square.com
    Subject: $5
    Body: Ladida whatever

    She received the email, and immediately afterwards we both received an email stating I was sending her funds.

    My Email: http://imgur.com/f264wIG [imgur.com]
    Her Email: http://imgur.com/F8GhpJ9 [imgur.com]

    When I hit the link card button, it brought me to a secure site and asked for my debit card #, expiration date and zip code. No name or anything else.
    Once I filled in the info and hit confirm we both received another round of emails.

    Mine: http://imgur.com/vDFnETA [imgur.com]
    Hers: http://imgur.com/nEaJdd5 [imgur.com]

    She clicked on the link to deposit cash and was given the same screen asking for a debit card number, exp. date and zip code. Nothing else.
    After she confirmed, another round of emails went out.

    Mine: http://imgur.com/4shFvyz [imgur.com]
    Hers: http://imgur.com/88Xprw4 [imgur.com]

    The charges appeared instantly on our two accounts as follows.

    Mine: http://imgur.com/bNHDB5u [imgur.com]
    Hers: http://imgur.com/Pz6V7On [imgur.com]

    I sent another $5 to her account to catch screens from the website. Turns out when you're already linked an account to your email, you just get an email asking to confirm instead of having to relink your bank account. Once you hit the confirm button, money is sent.

    My confirm email: http://imgur.com/vxoiS7t [imgur.com]

    She received an email waiting for me to confirm and an email saying that funds were deposited with the same text as before. She didn't have to do anything for the second payment and it was deposited into her account once i confirmed.

    There were no charges or fees at all.

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Working...