If you use an app, they sign the mails. If you use regular e-mail, you have to confirm the transfer, which means simply spoofing a mail from you won't work.
Yeah it seems fairly problematic, I remember an article on HN about how easily it could be circumvented. I'm not sure what Square is doing to protect transactions. However, with over $300M in VC money I'm sure Square will cover any fraud until they figure out a way to make things more secure just like PayPal did in 2000.
Fair enough - It's just that I feel like they need to make this really apparent before I would feel comfortable enough to use this as a product.
Purely from a product point of view, I wonder if this is one of the cases where having more friction to send money from one account to another, is a good thing.
Perhaps there is now a stronger motivation to write a javascript browser exploit
Step 1: that detects an active gmail (or other webmail) session
Step 2: then sends out an email of small enough $ amounts from a large number of email addresses
Step 3: send the email to a federated set of email accounts that Square considers legitimate users with associated debit cards
Step 4: Rinse, repeat this for a few hops to make tracing a trifle harder.
Step 5: Make Ocean's 11 bag of tricks look as bad as a O(2^n) algorithm.
If they have indeed figured this part out - then I would be really curious to learn what that gotcha is!
It's extremely unlikely someone will discover a JavaScript bug that provides access to the interpreter running in other tabs. Regardless, if someone has gained control of your webmail tab, they have control of the whole browser. At that point, there's no need to play around with Square Cash e-mail tricks, the malware author can steal credit and debit cards, bank account numbers and other valuable data directly. That's the "gotcha"; if you've already broken into a bank's vault, you don't go back to the tellers and try to make withdrawals with fake IDs.
https://squareup.com/help/en-us/article/5144-square-cash-sec...
If you use an app, they sign the mails. If you use regular e-mail, you have to confirm the transfer, which means simply spoofing a mail from you won't work.