Square Debuts New Email Payment System 240
cagraham writes "Mobile payment company Square — best known for their smartphone credit-card swipers — has launched a new payment service called Square Cash. The service doesn't require users to sign up or make an account. Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sender for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want within 1-2 business days."
Ummmm... (Score:5, Insightful)
This has got to be the most insecure payment system ever.
Re: (Score:2)
How so?
Re:Ummmm... (Score:5, Informative)
You shouldn't send that kind of account info by email.
Re:Ummmm... (Score:5, Informative)
You don't send account info via email. Read the article, or even just the summary more carefully.
Re: (Score:2)
You don't actually need to read the article. The summary suggests that all that goes in the email is the amount, and the CC to cash@square.com.
Instead, they just email the person they'd like to transfer money to (with the amount as the subject), and CC 'cash@square.com.' Square asks the sending for their debit card info, and then sends a link to the recipient, who can transfer the money into any account they want .
Re:Ummmm... (Score:4, Insightful)
Re:Ummmm... (Score:4, Funny)
The NSA can finally finance all the email spying they're doing!
Really? (Score:4, Insightful)
Account details over email and 1-2 business days?
Why not just put cash in an envelope and send USPS? At least that way you can't lost more than the cash you send.
Re:Really? (Score:4, Informative)
You don't send your account details in the email. They give you a link where you go to provide the details.
Re:Really? (Score:5, Insightful)
Sounds like an easy way to do a phishing scam.
Re: (Score:2)
You like dealing with physical mail, and cash? Good for you. Most people don't.
Re:Really? (Score:5, Informative)
RTFA. "If this is your first time using the service, Square will email you a link to its service, where you’ll be asked to enter your debit-card information."
Re: (Score:2)
Exactly.
You have to have an inordinate amount of trust in Square to use this service from EITHER end.
Sender hands over Debit Card info.
Receiver hands over BANK Account info.
Really?
Much as people love to hate PayPal, their process is more reliable.
Paypal offers a Paypal balance backed Debit Card if you want to fund the kid at college without
co-signing a credit card application.
Even Google will transfer money for you these days.
Re: (Score:3)
Re: (Score:2)
Question - is it debit card only? The sender can't use a credit card?
That is one of the reasons why Square is good, and why Paypal is popular - you can just use your credit card and not debit card...
I understand debit for receiving payments, but sending them?
Re: (Score:2)
To get away with the "no fees", they really can't accept credit cards, and have to hope that the interest on the money they hold for 2 days makes up for the interchange on the debit transaction.
Re: (Score:2)
The law is set up in such a way that all money exchangers are required to get identifying information from you. But even if they weren't, you have to provide a source and destination for the funds to get them in and out of the service.
Re:Really? (Score:5, Interesting)
We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.
Re:Really? (Score:4, Interesting)
Re:Really? (Score:5, Insightful)
We tried it. My co-worker sent me $15. After the initial email, we both tied our debit cards to our email addresses, and I had the funds in my account in less than 5 minutes. Since our cards are now linked I imagine it will be even quicker in the future.
So now can you spoof another e-mail from your co-worker to yourself, CC'ed to square and get more money from him in less than 5 minutes?
Re: (Score:2)
1) Account details are not sent over e-mail. You simply CC Square on an e-mail that you send to the recipient with the amount of the transaction in the subject line. Square then withdraws that amount from your account (which you've previously configured with them, or else which you're prompted to configure at their site before the payment will proceed) and sends the recipient an e-mail so that they can redeem it. Their app is basically a front-end for doing the exact same thing.
2) Sending stuff via snail ma
Interac (Score:5, Interesting)
Isn't this exactly the same thing as an Interac e-Transfer [wikipedia.org]?
I've been sending money via email for many years this way.
Re: (Score:3)
Re: (Score:2)
I guess I never really noticed that this was a Canadian specific thing. Seems I wrongfully assumed the US banking system had something similar.
Re:Interac (Score:4, Interesting)
There are many systems like this including POP money. The difference AFAICT is that this does not require bank participation.
Re: (Score:3)
That sounds like bank participation to me.
Re: (Score:3)
The bank doesn't need to sign up for a special program a la the OP's suggestion of Interac e-Transfer. It just uses your debit card functionality.
Re: (Score:3)
From the summary: "Square asks the sending for their debit card info..."
That sounds like bank participation to me.
Further, Square asks the Recipient for their bank account info.
That sounds even more like bank participation. Willingly or not.
How many people are going to receive an email purporting to be from Square offering an amount of money
which will give them a link to click to post their bank account details, directly into a website run by some 419 scammers?
Re: (Score:3)
A bank account number is not sufficient to enact a withdrawal in the US either.
But when combined with other information, its enough to give leverage to some major scammers, forgers, and check kiters, requiring you to spend all sorts of time fending them off, and answering questions.
For many years a company I worked for published their bank account number because they received a lot of business from Europe and payers liked to do wire transfers for some reason.
On multiple occasions people would use this numbe
What could possibly go wrong? (Score:4, Interesting)
Sounds ready for abuse (Score:5, Insightful)
So the From:, Subject, To:, and Cc: headers are what makes this work?
Not a bad idea, really, except that it can all be trivially spoofed, and the resulting set up/confirmation emails can be trivially intercepted and abused at will. Plus, of course, no easy drop-in encryption, and in the end it piggybacks on existing systems, so all the risks associated with them (like credit cards) will be neatly folded into the deal too.
Re: (Score:2)
And spoofed headers don't exist...
Re: (Score:3)
Good point, but all that would do is prompt a confirmation request to be sent back to the "sender", who is either going to realize that he didn't initiate that transaction, or has already given all of his money away to a very helpful friend in Nigeria.
Either way, you won't be able to fake a complete transaction through Square, who really should have stuck to Final Fantasy instead of trying to reinvent the Interac e-Transfer.
Re: (Score:3)
Virtually everyone has secure communication to their email provider these days.
And virtually nobody has secure communication between email providers. So there's a good chance that at some point along the line, your email is being transmitted across the Internet in the clear. Secure IMAP/POP/SMTP is good for protecting your authentication credentials (password), but if you want to protect the contents of your email, you need an end-to-end solution like PGP or S/MIME.
Blame Canada (Score:2)
It's incredibly convenient, and only takes a few hours to transfer funds.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
In that case you don't send anything insecure over email other than a link to the interac site. You also set up a password that you share with the receiving party by phone or some other method.
Bitcoin (Score:5, Informative)
Re: (Score:2)
Exchange cost (Score:2)
I don't understand how this is new. (Score:3)
Why would I want to introduce a third party into this, when I can already do it through my existing bank?
Re: (Score:2)
Re: (Score:2)
That's only in Canada. Not the US.
Re: (Score:3)
So can I send myself an email? (Score:4, Interesting)
What's stopping Eve from sending herself an email from a novice computer user and having said user give out their card info? Since anyone can send an email using any email address, this feels problematic.
Re: (Score:2)
Wait.... (Score:3, Insightful)
Sorry, what? (Score:3, Insightful)
And why on Earth would I trust Square?
See, banks have mechanisms in place to do this. And banks are regulated.
Square wants to become a middle-man for these transactions, but they aren't a bank and aren't regulated like one.
Which means when (not if) Square fucks up, you'll be dealing with a company in terms of their EULA which says "we're not a bank, and not actually responsible for anything". With a bank you have some recourse.
Given how video game companies have been faring with security and protecting of this kind of information, my first thought is "how long before they have a security breach, and what recourse will you have".
Sorry, but I'll stick with using banks to transfer money.
Re:Sorry, what? (Score:5, Informative)
Squaresoft (Score:2)
Given how video game companies have been faring
From what I understand Square is a credit card processing service
I think it might have been a pun on Square Enix, the company behind Rad Racer and Chocobo Racing.
Re:Sorry, what? (Score:4, Insightful)
So when you go to a store to buy something, you ask the guy behind the register to follow you to a bank to complete the transaction?
No, I didn't think so. Instead, if you don't use cash everywhere, you probably hand the guy behind the register your credit card. If his register looks iPad shaped (and, in my experience, any new business that has opened in the past two years has registers that are distinctly iPad shaped), then he's processing your credit card through Square or a similar service. So you already trust them.
Ridiculous that it takes a 3rd party (Score:5, Informative)
Why does the US have such an antiquated banking system? Hell, a lot of places still need checks because they won't take plastic!
I've had bank accounts in the UK, Australia, Germany, Canada and the US.
Canada is basically the US in this context..banks are no better. They do have email money transfers though.
Which is something every other damn country has. A way to transfer money between bank accounts of individuals securely and free. The only option in the US has been paypal or chase quickpay.
Not to mention the reliance on checks (ridiculous!) and the problems with ACH fraud. Again, in no other country has my account number been secret information which I have to protect. The worst thing people could do is put money into my account.
So many issues....
Re: (Score:2)
Hell, a lot of places still need checks because they won't take plastic!
What part of the US are you visiting? Even traveling food trucks take plastic nowadays, unless you're out in the middle of the Carolina High Desert or the Kentucky Jungles or someplace.
Re: (Score:3)
I've lived in the US for some time, based in NYC.
There are still a lot of places that won't take plastic. Rental agencies, for instance.
Re: (Score:2)
What are you trying to rent? I've rented everything from cars to tuxes using a credit card, never cash. The only rentals that I imagine are a cash-only service involve illicits. NYC is different from the rest of the country. Here in Texas, even the taco trucks take credit card (alongside U.S. cash, and sometimes pesos).
Re: (Score:2)
Many people rent a residence. To live in. As shelter. Apparently this is uncommon in Texas?
Re: (Score:2)
Do you really think "rental agency" when you "pay rent"? I've never payed my monthly rent to a "rental agency", in Texas or anywhere else.
Let's ask Google [google.com].
Judging from the first page of hits... yea, I'm not the only one to associate a "rental agency" with "paying rent" with "an apartment".
Re: (Score:2)
Re: (Score:2)
Why does the US have such an antiquated banking system?
Because it works and the votes to change it didn't make the majority which was needed to change the system. The Invisible Plumbing Of Our Economy [npr.org] is a really good listen and answers your question pretty thoroughly. In the IK there was a mandate from the government to speed things up. Given all that's happened with the Great Recession it's apparent that the US government doesn't have the power to mandate anything to the banks.
Subj: $lots From: you To: me CC: these launderers (Score:2)
Thanks for all the money, folks!
Interesting angle ... (Score:2, Funny)
Interesting idea that Square have come up with.
This will only be their first step. The next goal will be to have all transactions take place using their own currency denomination, Gil (G). From there, they can bypass the online gambling ban and provide real-time Chocobo Racing streamed into the home.
Training users to click on links in their inbox (Score:5, Insightful)
Re:Training users to click on links in their inbox (Score:5, Interesting)
How many times must people be hit in the head with a clue bat before they understand that this is a Bad Idea[tm]
Big companies are encouraging this, by sending emails that meet all the criteria for phishing emails. I just got a receipt email from Virgin Mobile after making a payment. The path taken by the mail goes through "mh.nextel.m0.net", "oms16.dc1.prod" (which isn't even a valid TLD), and "cmil278.amdocs.com". The mail text is base-64 encoded HTML only, no text version. That just screams "hostile code".
How are people supposed to recognize phishing emails with legit companies sending crap like that?
"m0.net" says on their site "This domain is owned by Acxiom Digital, a leading provider of email marketing solutions for Global 2000 enterprises."
Open Relays FTW (Score:5, Funny)
Re: (Score:3)
So when victim.email@victim.domain.com is asked to validate that he wants to send $1,000,000, and is asked to provide a debit card for the transaction, he'll go along with it because the email says he originated the request?
Re: (Score:2)
A Phisher's Delight! (Score:2)
To use this system, I get an email, purportedly from Square, asking me for my debit card information. What could possibly go wrong?
And could someone please tell me why we can't just do bank-to-bank transfers like they do in Europe? We're getting closer now. Through B of A, I can send money to a phone # or email address (is this just PopMoney?), but I've never tested the UX on that to see if it's a pain in the ass for the recipient.
Re: (Score:2)
And could someone please tell me why we can't just do bank-to-bank transfers like they do in Europe?
Because all banks have an interface to the clearing house, and the clearing house was designed to replace guys driving up with trucks full of checks and swapping bags, so the code in the clearing house was designed around the model of every player showing up once a day with a batch of transactions and swapping information. The banks wouldn't make any money by doing faster transfers to their competitors, so why would they change?
Re: (Score:2)
The banks wouldn't make any money by doing faster transfers to their competitors, so why would they change?
Uhh, maybe because people want features that make their lives easier, and people will bank with banks that give them what they want?
Bank of America is a great example. They give me free payroll services, free business remote deposit capture, next business day deposit funds availability, and a platform that integrates all of the features seamlessly. Well, guess what, I do all of my business banking with them because they make my life easier with crap that basically costs them nothing.
And because everything i
Sorry. (Score:2)
I don't have a debit card - and never will. They're evil, and unnecessary/stupid for people that have a CC and pay it off every month...
Re: (Score:2)
You can't get cash for free out of your credit card. You can at almost every store that takes debit cards, for no extra effort or fee.
Re: (Score:2)
I don't have a debit card - and never will. They're evil, and unnecessary/stupid for people that have a CC and pay it off every month...
The merchant's fees for a debit card tend to be fixed, but for a credit card they're a percentage (I think this is the same in the US as it is here). There's also no limit beyond the amount in the account, and it's much more difficult to reverse the transaction, i.e. more trusted by the merchant.
If I were buying a car, I'd use a debit card (my credit limit is £3000, though they'd probably increase it if I asked). I paid the deposit to rent this flat using a debit card. Airlines usually charge a fee
Re: (Score:2)
I don't have a debit card - and never will. They're evil, and unnecessary/stupid for people that have a CC and pay it off every month...
The merchant's fees for a debit card tend to be fixed, but for a credit card they're a percentage (I think this is the same in the US as it is here). There's also no limit beyond the amount in the account, and it's much more difficult to reverse the transaction, i.e. more trusted by the merchant.
If I were buying a car, I'd use a debit card (my credit limit is £3000, though they'd probably increase it if I asked). I paid the deposit to rent this flat using a debit card. Airlines usually charge a fee for paying by credit card, which they don't charge if paying by debit card.
All probably true, but your account can't get drained with a CC and you can simply challenge a bad expense on your CC statement w/o having to pay for it while it's under review (and other CC protections are at least, if not better, than for a DC). While you have to ask (beg) your bank to get your funds back stolen with a DC and handle any bounced payments, etc... (which a nice bank *might* handle and waive fees) - I don't like that. You also get a one-month float on your CC charges.
I have a no-fee CC and
Re: (Score:2)
The opposite tends to be true.
If you have money to pay off the CC, then the credit card is unnecessary and stupid. Why would you need to maintain a line of credit just to pay it off with cash you already have? This is where a debit card's perfect. It's a credit card you can use everywhere and costs you less to run. While most online vendors may charge you a credit card fee even for using a debit card, almost no retailer ever will. To them, it's just an EFTPOS card. You gain the convenience of a credit card
I have sent you $50! (Score:4, Informative)
Simply click this link and input your debit card details! I promise nothing bad will happen.
Most important question (Score:2)
Let's say you meet up with some guy in a parking lot to conduct some sort of craigslist transaction. You agree to pay him using Square and you e-mail him the cash. At this point he knows you have a debit card linked to your Square account, so what prevents him from forging an e-mail from the e-mail address you used to send him cash, to him, CC'ing cash@square.com and putting 5000 in the subject line? Will Square then deduct
Old News (Score:3)
"Square
AKA: Final Fantasy I thru X
"The service doesn't require users to sign up or make an account."
Yep, but they make you grind harder than ever for credits...
Hyperwallet (Canada) (Score:3)
in the mid 2000's use to do that with Beam Cash although you needed an account http://www.hyperwallet.com/consumer/help/beam-cash-email-money-transfers.html [hyperwallet.com]
virtual paymend cards not supported (Score:3)
I tried a 1$ transfer using a virtual payment card (I can obtain a one time card number on my bank site limited to a specific amount, this is usefull for online purchases). I could not link this card: "Card not supported".
Too bad, i really wanted to test their service with a spoofed mail after doing first transaction normally.
There is no way I'll be providing them my real card number.
Hint: they do not brag about being PCI DSS certified (not even compliant) that certainly means they are not.
They only say: "You’re safe with us. The privacy and security of your financial information is our top priority." which is not very reassuring to say the least.
Re: (Score:3)
It has to be a debit card; since Paypal stopped doing virtual cards, I don't know of any debit cards that do them any more. I have Discover and Citibank credit cards specifically because they do support them, though that doesn't help here.
And actually, they do brag about being PCI DSS certified in their "Security" section.
Which doesn't mitigate the fact that they are setting up a phishing gold mine: "click here to enter your debit card number and receive some free money!"
Just sent twenty bucks. (Score:3)
Tested it myself, screenshots. (Score:3, Informative)
Send an email to her composed as such:
To: girlfriend@gfmail.com
Cc: cash@square.com
Subject: $5
Body: Ladida whatever
She received the email, and immediately afterwards we both received an email stating I was sending her funds.
My Email: http://imgur.com/f264wIG [imgur.com]
Her Email: http://imgur.com/F8GhpJ9 [imgur.com]
When I hit the link card button, it brought me to a secure site and asked for my debit card #, expiration date and zip code. No name or anything else.
Once I filled in the info and hit confirm we both received another round of emails.
Mine: http://imgur.com/vDFnETA [imgur.com]
Hers: http://imgur.com/nEaJdd5 [imgur.com]
She clicked on the link to deposit cash and was given the same screen asking for a debit card number, exp. date and zip code. Nothing else.
After she confirmed, another round of emails went out.
Mine: http://imgur.com/4shFvyz [imgur.com]
Hers: http://imgur.com/88Xprw4 [imgur.com]
The charges appeared instantly on our two accounts as follows.
Mine: http://imgur.com/bNHDB5u [imgur.com]
Hers: http://imgur.com/Pz6V7On [imgur.com]
I sent another $5 to her account to catch screens from the website. Turns out when you're already linked an account to your email, you just get an email asking to confirm instead of having to relink your bank account. Once you hit the confirm button, money is sent.
My confirm email: http://imgur.com/vxoiS7t [imgur.com]
She received an email waiting for me to confirm and an email saying that funds were deposited with the same text as before. She didn't have to do anything for the second payment and it was deposited into her account once i confirmed.
There were no charges or fees at all.
Re: (Score:2)
Drug Deal!
Re:Won't take off, but may Rip You Off (Score:5, Insightful)
Drug Deal!
Except Drug Dealers don't keep Bank Accounts. Its a cash and you are carrying business.
This requires you to give Square Your debit card info, and makes your recipient give you THEIR bank details.
Seriously, the NSA couldn't have dreamed up a move invasive scheme. What could possibly go wrong with that?
Left unsaid in the linked article, (and also the Square website) is how square is going to monetize this, other than by
*cough* losing one out of a hundred payments. They claim the service is free. FAQ Here [squareup.com] to both parties. So, how do they finance that, other than getting a piece of the debit card fee? (Senders have to use a Debit card).
One wonders just how much the debit card fee is jacked up to allow Square to assume the risk for this type of service, and handle the deluge of complaints and lost payments claims. And how many will be suckered into handing over their bank info to a 419 email purportedly from Square.
World Plus Dog is rushing to mobile payments, but I'm not so sure this is well thought out.
Re: (Score:2)
They claim the service is free. FAQ Here [squareup.com] to both parties. So, how do they finance that, other than getting a piece of the debit card fee? (Senders have to use a Debit card).
The get the 1-2 days of float on the translation. That may be enough to enable them to make a little profit.
Re: (Score:2)
Thankfully...I don't have/use a Debit Card. I ask my bank for a plain, simple non-debit ATM card.
I use that when I need cash to carry around for the week...and I'm good to go.
I still prefer the anonymity of cash, and since it doesn't abstract the spending of your money (much like chips in a casino)...I have a better feel where my money is going every week for living expenses (groceries, etc).
Re: (Score:2)
I don't know about having a better feel where your money is going. I can get an exact list of everything I purchased in an easily accessible online format. It is hard to have a better idea where my money is going than that. Granted, I use credit cards only as the consumer protection laws are far better for credit cards than debit. Someone makes off with your debit card, you are screwed, someone makes off with your credit card, as long as you report it reasonably quickly, you owe nothing for charges that
Re: (Score:2)
Re: (Score:2)
Do you have a bank loan at 1.99% for your car, and pay the dealership in cash, or did you get the 1.99% through the dealership. In many cases, the "low" interest rates you get from the dealership are only offered because the price of the car is high to compensate. Tell the dealership you'll pay cash, and the price of the car will drop significantly.
This is really only true when you're talking about manufacturer subsidized loans ("0% financing through GMAC with approved credit!"), which usually are not available in conjunction with manufacturer rebates--which almost EVERY car on the market has (even Toyota these days). In some cases, the rebates are absurdly large (pickup trucks) so you can see massive swings in the price of the car if you forego the manufacturer financing. Overall, dealerships typically MAKE money on finance deals (kickbacks from th
Re: (Score:2)
Re: (Score:2, Funny)
Just how stupid are you? They gave you exactly the same card with exactly the same functionality as everyone else. Then they told you your card is special, and you bought it?
The only thing special is you... In a short bus kind of way.
Re: (Score:2)
Re:Won't take off, but may Rip You Off (Score:4, Insightful)
Square requires your debit card info and SQUARE gets the recipients bank account details not the guy paying.
Yes, good catch, that't what I meant to type, but my fingers occasionally get ahead of me.
Still, Square ends up knowing a whole hell of a lot about people who may use the service exactly once.
We can only hope they have good security, because a break-in of their site could cause wide spread
financial chaos.
They have to keep lots of backup, simply to protect themselves and research transactions. Presumably all of their data is heavily encrypted, and they have off-site backups other than the NSA.
Re: (Score:2)
Re: (Score:2)
Except I can receive money in my paypal account as long as they have my tax id for tax purposes, and I can spend that money directly out of that account at a large number of merchants without giving access to my bank account.
Re: (Score:2)
Except Drug Dealers don't keep Bank Accounts. Its a cash and you are carrying business.
Funny, you clearly have no idea what you're talking about. The majority of "deals" are made between friends. Yes, Street corner guys can't use this, but if you're been buying from "John" for the past 15 years, you're not going to really worry about a paper trail. The quicker people realize that this isn't some secret underworld invisible to normal people, and that its really just all of US going about our daily lives, the better off we all will be. It's a lot like the common notion in the 50s that women did
Re: (Score:2)
The majority of "deals" are made between friends.
Maybe in your little upper middle class world scoring you pot for the weekend.
In the real world Street Corner Guy does most of the business.
And neither John nor Street guy puts any of that money in the bank.
Re: (Score:3)
Re: (Score:2)
> ... if my email provider suddenly added an 'attach money' option and stored my card details I'd be thinking of moving to another provider that didn't integrate everything.
Wouldn't it be easier to not share your credit card details with the email provider? Rather than move away to another email provider?