- Take an existing known medium (in this case email) and makes it way more useful.
- They didn't try to build a bunch of new UI for connecting your Facebook so you can find and invite and pay your friends, paying out to your card, etc.
- It magically hides the messiness of an enormously complex problem (fraud, different types of debit cards & banks all over the world) behind a very simple interface.
- Unlike every other P2P payment system, I can actually sign up and receive money (or convince my friend to) using only what's in my pocket (debit card)... not hunting down ACH/wire details.
That was my first impression. I could rip the site, post it to my own domain, and start sending out emails saying "you've got cash, give me your credit card number so we can credit it" in about 10 minutes. Great concept, and I plan to use the service, but as it gains momentum and acceptance, it's going to be a great attack vector for the Nigerians.
No, they just got an email from someone that happened to have my address in the `From` field.
Since we're in the realm of phishing already, let's not forget that people still commonly enter their email address and email password into sites claiming to "Find your friends who are using this service".
The problem with social attacks is that they spread socially, and it's not enough for just "some", or even "most" people to be educated for it to be stopped.
I don't think Square are ignorant about this, but I'd like to see some confirmation that some measures are in place to counter threats like these.
What also doesn't help is that sites like Facebook leak personal information like sieves. I've been receiving the spam e-mails claiming to be from various of my Facebook friends for some time.
In the happy case, yes. But, that doesn't consider how phishing works.
So, Square trains people that these e-mails are OK. In the happy case, you get the email from a friend, followed by a link/invitation from Square. Everything is fine.
After doing this several times, one day you just get the email that appears to be from Square, informing you that you have money. This is a phishing email and there is no email from a friend, which should raise a red flag, but for many it won't. Or they may just think Square changed the process. Putting the onus on the user to discern this is not a good plan.
Training users to click a link from an email that resulted from a process they didn't initiate, then enter personal/financial information or credentials is not a good idea.
So is PayPal and just about every other financial institution. Square has some nice safeguards in place here and considering they are going to be the ones paying for fraud abuse, you can be sure they'll be doing everything possible to prevent it.
This is one area where the US seems to be behind compared to the UK. I am from the UK and that service would look quite poor if it launched over here. We have a system called faster payments service that offers instant (although in some cases up to 2 hours) bank transfers for payments up to £100,000 (can differ between banks). You can use this directly if you share bank account numbers and sort codes but there are also wrappers around FPS like Barclays PingIt that people can register with and use your mobile number instead. There is no fee associated with these services.
The US equivalent is ACH, which has the major downside that using only the bank ID (routing number) and account number you can effectively wipe out the target's account. It's up to your bank (or whatever ACH proxy) to keep you from doing that, not to the interchange, both legally and technically. ACH also takes several days to work, and has a wide window for either bank to declare the transfer fraudulent, so many banks stretch the time out longer to account for that. Most stock brokers will credit your account long before the ACH transaction completes (with some restrictions of course).
There are also wrappers around this here like Chase's Quickpay or Ally's Popmoney but most require that both people use the same bank, or that you give your ACH details to a bank that isn't your own.
Paper cheques just have the routing/account numbers along the bottom, and AFAIK essentially work via ACH anyway, so they have all of the same downsides, plus taking longer to complete.
Also, the window for fraud with ACH is so great that when you tell one bank about another account's ACH details so that you can transfer money, they "authenticate" this by making small, sub-$1 deposit amounts, and asking you what the amounts were, to prove that you can see the target account. So this "linking" process takes the entire ACH transaction time as well the first time you do it. Some banks have taken to using a service called Yodlee which asks you for the target accounts' username and password. That's right, Wells Fargo asks for your username and password on Scottrade to authenticate the transfer because they don't trust the way ACH's liability lies. So this won't work to send $8 to your buddy anyway.
Moving money without a service like paypal/venmo/square/google wallet is really quite difficult, especially if you don't want to trust an organisation with a history of taking people's money (Paypal) or if you don't want to pay a transaction fee.
Are you serious? Why would _anyone_ design a system like this?
In Australia, the equivalent is EFT (Electronic Funds Transfer). You can deposit money to anyone's account by telling the bank their BSB (Bank/State/Branch number) and their account number; however this is not sufficient information to withdraw money.
To withdraw money:
1. at a physical bank branch:
a. you put your credit/debit card in a POS terminal and enter your pin/sign to authenticate.
b. provide yous credit/debit card and photo ID to the teller.
2. at an ATM:
credit/debit card + pin number.
3. online banking:
either the credit/debit card number and a password and often a pin as well, or a separate number and password.
All of these use an independent authentication source to the bank account number.
Also the delays quotes here are insane:
In Australia, there are essentially 2 ways to pay for something (excluding cash):
1. EFT (Electronic Funds Transfer)
2. Credit card (possibly using a debit card) transaction.
On POS terminals, you can choose either; the differentiator being whether you want to use a savings account (EFT) which goes via your bank, or a credit (or savings account accessed via debit card) account, which goes via MasterCard/Visa.
All forms of EFT take 1-2 business days between banks, pretty much all the time; and they're universally free for the payer.
Credit/debit transactions seem to take 1 day universally.
We have a fairly stagnant banking system, with 4 major banks having basically the entire consumer market (and the vast majority of the nonconsumer market as well). Why, in a small, stagnant market like ours, do we fare much better than the US system?
[edit: I forgot to mention, checks are dead here, they're now almost only used for large transfers of money where:
1. you don't want to use EFT;
2. they're over the daily online maximum for EFT transfers, and you can't be bothered to go to a bank branch (although you can only get bank checks at a branch AFAIK);
3. You want an immediate guarantee that the ammount was paid and the date/time/payer/payee (as opposed to waiting 1 day for the payment to come through).]
> Are you serious? Why would _anyone_ design a system like this?
Because it's descended from writing simple letters of credit (and by this I literally mean a letter that says "Hey bank, pay John here $15 out of my account kthx"), and giant ancient heavily regulated institutions are terrified of change.
The system wasn't designed exactly, it just sort of evolved
Also, the US has a very weak culture of consumer protection and regulation; solutions that require co-operation between competing entities are much harder to get off the ground. See the ACA software mess.
> All forms of EFT take 1-2 business days between banks,
> pretty much all the time; and they're universally free for > the payer.
Other people have already weighed in on the fact that actually not all of the payment systems are free for the payer (even EFT via a terminal costs).
But ask yourself, why does it take 1-2 business day for this to happen? In the UK, the worst case scenario is 2 hours between different banks. And if the account transfer is within the same bank, it is instant.
In AU, even between St. George accounts you can see delays of up to 1 day. Insane! Especially since the money isn't changing banks but accounts within the bank.
Not quite. Vendors can now legally add a surcharge to cover the cost for payments from a credit card. Some vendors traditionally refused Amex when they had to eat the charge, since Amex was something like a 4-5% cost to the vendor as opposed to the 1-2% costs of the other cards.
Why, in a small, stagnant market like ours, do we fare much better than the US system?
We have strong banking regulations, apparently. I heard somewhere that during the GFC, there were only ten banks of that kind globally that hung on to their AAA credit rating, and all four of the Australian big banks were in that ten.
Credit card transactions do sometimes have fees attached; specifically I was referring to EFT, which for person-to-person has no fees at all, and doesn't attract fees to the payer at the POS (whereas credit cards can).
Yeah, the real question I was getting at was, given the Australian market is even more insular and stagnant than the US, why do we have much better systems?
What you're saying sounds plausible; a comparison of the US and Australian regulations on deposit banks would be interesting.
I never realised how good we had it comparatively in Australia. I always just thought that Eftpos was something that "just worked" and that everyone around the world had (or at least an equivalent). No fees, no credit, no monthly payments, no bullshit. Just a card that you use to pay for things out of your bank account.
Specifically, you can do an EFT transfer from a bank account to any other bank account in Australia via online banking, and it's free (at least in all the times I've used it).
In the case of ETFPOS terminals, EFT is always free for the payer (the customer), and credit cards are usually free for the payer, but do sometimes have a fee for the payer (certainly AMEX and Diners).
As I've now been corrected on, both types of transaction have a fee for the payee (the merchant).
The fee for the terminal itself is definitely true - I was mainly thinking of fees in terms of payers, i.e. the customer, not the merchant.
Though given there are alternative methods for credit/debit payments (i.e. alternative terminal types, like the swipe thingy that plugs into iPhones) it'll be interesting to see if people keep the combined EFTPOS + credit/debit card terminals, or abandon the EFT side, as the number of non-debit bank/keycards dwindles.
We have strong banking regulations, apparently. I heard somewhere that during the GFC, there were only ten banks of that kind globally that hung on to their AAA credit rating, and all four of the Australian big banks were in that ten.
Our bank regulations are a joke (in the last few years, we just nationalized a fraudulent bank for €2.7 billion and re-sold it for €30 million), and yet we have a similar system, plus free virtual CCs, plus an award-winning ATM network that doesn't charge any fees for usage/withdraws.
It's bad. One time I mistakenly reversed the source/destination when sending my roommate two months of rent money and I over drafted his account because it took the money without asking his permission.
Once the accounts are linked, either party can pull/push money without the other's approval.
> The US equivalent is ACH, which has the major downside that using only the bank ID (routing number) and account number you can effectively wipe out the target's account
Interesting. I had come to a similar conclusion myself. I noticed that in paying my school fees all I needed was those two numbers (banking routing #, bank acct #) for payment with no further verification. As you have observed all of these details are readily available on paper checks.
One way to mitigate the issue of someone potentially wiping your account is to have two accounts. One public and one private. The private one would contain (most of) your actual funds whilst the public account, which you would share freely as needed would contain just enough funds to complete whatever transactions that you need to do. Sure, it is not as convenient because you have to manage two accounts but at least that way you reduce your exposure to your funds being completely depleted.
I use checking and savings in this way. I think it's pretty common to do so that checking is a revolving fund and doesn't hold any significant money, but it's also common to just have all your money in the one account.
Anyway, good description of ACH above. Very few people understand how it works.
Having recently moved from the UK to the US, I was quite shocked at the state of US banking. In the UK we can transfer money for free, use many ATMs free (not just the bank's own), we get free chequebooks, and there are plenty of accounts with no monthly fees. My US bank has a whole list of charges, and it's not made up by higher interest rates.
As another person who has lived in both places, banking is a lot freer in the UK. Yes, UK banks charge overdraft fees - but so do US banks. Most US banks will charge you to send you replacement checkbooks; many will even charge you a monthly fee to maintain the account. There are notable exceptions, but they don't have mass market buy-in.
I moved to Canada (from UK) and similar situation. Monthly fees, X amount of transactions per month, fee to withdraw from other banks (although we had this in UK too for a few years), fee to pay someone else money whether in the same bank or not and even via the internet.
I tried to deposit a cheque into my landlords account and the bank teller would not accept it, had to be cash or bankers draft - I presume because they may have a limit on the number of transactions per month and anything over wold cost them additional money. I found it very bizarre.
Remembering people's bank account details is a nightmare though. I sometimes need to pay friends or family back for a meal or whatever, but going through the rigamarole of requesting their bank account details and then logging onto internet banking, going to the payment screen, putting their details in (making sure you don't mistype a digit in their bank account number) and then hoping you did everything OK is just a fundamentally broken UI.
The Barclay's "pingIt" system is a step in the right direction, I think all banks should adopt a similar system. Paypal "gifting" is a good alternative to this but not everyone has a paypal account
Both banks I've used recently (Natwest and Halifax, not that I can recommend either) keep a saved list of people you've paid in the past, so I only had to go through that dance once for each person I paid. For the people I paid most frequently it was very convenient, I could send them money in seconds using the Natwest Android app.
Ah - I was under the impression PingIt could be used by non-Barclays customers.
That said, NatWest's mobile app also allows this behaviour: I can send a contact a text with a link allowing them to deposit the amount specified: up to £250.
That's how it works in much of Europe. The US banking system sucks. I have clients in Germany. They pay me via credit card because bank transfers to US accounts are such a pain. If I had a German account they could pay me instantly without hassle. Even many of my US clients pay me by credit card because they'd otherwise have to mail me a check (yuck) or get some kind of 3rd party bank transfer service which they're not willing to do.
Faster payments are so fast in some cases that, transferring between accounts with different banks, I see an update in the recipient window before the sending bank website has finished serving the confirmation page!
The most stunning part of this is the "free" part.
The Durbin amendment regulates the cost of debit transactions over the Visa/Mastercard network. It's $0.22 + 0.05%.
Mossberg reports that Square is planning to monetize via "premium options" like international transfers. But still, $0.22+ is a lot to lose every time someone uses your mass-market service.
The dotcom did get some things right. The internet is a big deal. There are land grab markets. They got timing and lots of other details wrong.
Maybe they will need to have a freemium offering long term to avoid too balance this if they start hitting millions of active users. It should be easy enough to get $5 pm from big users.
They are playing for a big market(s) here. Very big. If bthey are paying to build their name and userbase, it could make good business sense.
We know a lot more hese days. Our instincts are better. We are not cming up with a valuation based on a multiplier of hits. A user of a financial service has a realistically high value.
I didn't say dot com got anything wrong. I'm saying raising hundreds of millions of VC dollars and practically giving it away is a dot com era strategy.
Remember when PayPal paid out a $20 referral bonus for each new customer? Yeah, those days.
No, I'm really not. All I'm saying is it's a similarly audacious, capital-intensive strategy that can only happen in very favorable capital markets.
It's worth looking at how PayPal tried to steer towards profitability in later days, though. They basically became more evil. When paying merchants, they try to trick you into preferring ACH transfers direct from your checking account over using your credit/debit card. The former has weaker consumer protections, no rewards and risks overdraft fees, but lets PayPal keep almost all of their 2.9% + $0.30 fee, since ACH costs just pennies.
Not saying Square is going to become evil. Just saying they'll have to figure out how to break even with it eventually, because right now there's a built-in operational loss that scales with usage.
It's called solving the chicken-and-egg problem by funding one of them. There was an Elon Musk interview about that stage - IIRC they invested/gifted ~100 million (!) in such activities; but this marketing paid back afterwards in billions.
If you say dotcom, the association is over-investing, ridiculously irrational valuation of companies/users/hits, pets.com, bankruptcy, find-the-bigger-fool, etc.
Dotcom days also implies flawed business models that are unlikely to ever be profitable for the company, nevermind investors. I think it was a relevant use of the word considering the point of abalone's argument.
Upthread [0] someone mentioned these transactions are being processed as 'refunds'. Perhaps these transactions are not required to use the same fee structure?
I believe the original Square payment system processes billions of dollars in transactions every year at 2.0%. Perhaps this is more of a customer acquisition platform with premium features to come.
my guess is the '1-2 days' for you to get your cash is how they are monetizing it. Sure, a poster above got $1 almost instantly, but as volume increases, 1-2 days in some form of investment vehicle will add up.
They'd want to be making returns north of 20% per year just to offset the fees alone if the numbers abalone outlined are correct.
Edit: to elaborate on how I calculated that:
1. We don't know transaction size so I just focused on the 0.05% transaction fee. Obviously if transaction sizes are small, the fixed element of fee is higher as a proportion of the amount held for 1-2 days so the required return to break even is much higher.
2. If the transaction fee is 0.05%, $1 transferred turns into $0.9995
3. Square is sending $1 to the recipient. Therefore to break even, it must turn 0.9995 into $1.00 in the 1-2 days it holds the cash for.
4. To do that in 1 day, it must earn a return that is roughly equal to 20% annualized. So the annual return is (0.9995 x 20) = 0.1995. The daily return is 0.1995/365 = roughly 0.0005.
5. Adding the return of 0.0005 to the $1 brings you back to the $1 that Square sends on to the recipient. So they break even if they are earning 20% a year on the cash they hold before it gets sent on to the recipient.
Note the required return to break even is lower if they hold the cash for 2 days. However I'd guess they don't because one of the banks along the way probably hold it for at least half that time. Also, even if they do hold it for 2 days, you still have to overcome the fixed cost, so that moves the required return back towards my 'north of 20%' figure.
PS - since the Square guys are obviously smart, I'm sure they've done the above math so I'd question whether they really are paying these kinds of fees on each transaction. However if they are, Abalone's dotcom days comment is entirely correct.
Of course, it all depends on the volumes. If someone uses the site 10 times, who cares about the $0.22? 100 times, you might start caring. 1000 times, you might not want them.
Do Interac email transfers not work in the US? They're pretty much the same thing: send money to an email recipient who then clicks a link to deposit it in their account. I'm surprised that this is big news, and that it seemingly doesn't exist down south.
Interac is an exclusively Canadian payment-processor. The American equivalents are PLUS and Cirrus--who could have implemented this long ago, but for some reason haven't.
I didn't realize that. The ubiquity of Interac around these parts, and its deep integration with all things financial, led me to believe it was an international institution.
After spending the last week trying to find a cellphone plan for my mother, seeing a Canadian institution that mostly works and is mostly good for the consumer is a welcome breath of fresh air.
Only if you're still tied to the notion that prices are proportional to costs. e-transfers are more convenient for consumers, so they can charge more for them.
I see it as being incentivized to waste relatively large amounts of their time and money printing, shipping, and processing my checks for stupid small amounts like $23.46.
But you're right, I'm sure that for every person like me there are many who just pay the $1.50 for the convenience.
Email money transfers? I've been doing them through my bank for years. It's incredibly simple.
I guess this says something about the state of innovation and technology; there are gaps, even in the mainstream between neighboring countries whose cultures are nearly identical. By finding those technological gaps, you can impress a lot of people.
Note that it takes 1-2 days for the deposit. They must be using ACH to do this. The 'free' part is great. Even with Square, I'd be hesitant to enter my debit card number.
Planet Money recently did a great episode all about the US's ACH system and why it works the way it does.
Faster transfers are possible. Some companies (Kabbage maybe?) are able to do same day or instant transfers without wiring.
I believe it's done by opening bank accounts at major banks, and then using the interbank transfer system which is instantaneous and only requires an account number and a name. Other services offer pushes to credit cards or debit cards using bill pay systems or blind credits.
It isn't actually that hard to move money from person to person. The real issues with this sort of stuff are:
a) payments fraud
b) money transmission law and regulatory compliance
Yep - Kapil is correct. Any serious payments company manages accounts in various banks and uses its internal systems to manage credits and debits at the individual account level.
There is actually the capability to do an instant transfer over visa and mastercard networks as well, but it is somewhat expensive (>0.20) -- the pin debit networks are smaller and more willing to negotiate this sort of thing, and since most debit cards are able to process on more than one pin debit network you can get 100% coverage with just a couple of the pin debit networks playing ball.
That they are not allowing this for credit cards indicates that they are using the pin debit networks.
Credit card numbers are much safer to use online than debit cards, mostly because credit card dispute mechanisms give consumers a lot more power. If a merchant behaves in an unsavory way, with a credit card you can usually just call your bank, issue a chargeback and that's the end of it. You can't do that with a debit card.
You absolutely CAN dispute charges with debit cards. The problem OP might have with debit cards could be that a fraudulent charge temporarily locks cash funds (with debit card) instead of credit availability (with credit card).
There are wide differences in consumer protections between credit and debit cards.
The list of reasons for a valid chargeback on a debit card is much more narrow than a credit card. For example, suppose you purchase a tablet online and when you get the package, you sign for it, open it, and it's a paperweight. If you charged that on your debit card you're out of luck and will have to go to small claims court. On a credit card -- especially a good credit card -- the charge would be reversed. The issue there is that you signed for the package. If you don't believe that, give your bank's fraud dept a call, and then your credit card companies.
American Express obviously is great for consumer protections but truthfully any Visa Signature card offers a competent level of service.
Personally, I would never use a debit card online (or anywhere else for that matter) and would advise anybody against it. Not to mention, you can earn some fantastic cashback/mileage benefits. My wife and I are flying next spring to Europe, first class from San Francisco, over $20k in airfare, for only $2500 out of pocket for taxes and surcharges. To earn this we've spent $40k between 2 British Air cards in 15 months.
Ted has it right. Consumers with comprimised credit pay for the benefits given to consumers that the CC companies see as more desirable. I'm not one who believes in not taking a bite at the apple when everybody else is.
Actually, that is not the real reason credit cards are safer :)
You can dispute most debit card transactions now.
Besides the "one is availability of credit, the other, real money", there is a liability difference.
It used to be, at one point, that debit card liability was essentially unlimited but a consumer's liability for fraud on their credit card was limited to $50 by federal law (see 15 USC § 1643). Debit card liability now has a maximum as well, but your maximum liability actually depends on how quickly you notify.
If it's within two days, it's $50 liability on a debit card, but if you notify past that, they could legally make you liable for up to $500.
(There are other liability generating situations that exist for debit cards but not credit cards)
As lbarrow said, I use a credit card. It used to be that debit cards offered almost no protection. I think they're competitive with credit cards now, but that may only be when you're using it like a credit card. I don't know if this would count towards my fraud protection (which, honestly, I know nothing about).
Really, it's because I use my credit card as a firewall account. If my credit card gets compromised (which has happened twice before), I have to change maybe a dozen things that link to it. It's an inconvenience, but my bank can get me a new card the next day. Worst case scenario I lose my credit card for a week or so.
If my checking account is compromised, things are worse. If my checking account gets locked, not only can I not use it, I also can't pay my credit card. I'd have to setup my paycheck (pain), rent (pain), and some other things. Then I'd have to re-link a couple of other bank accounts. While I like my current bank, I don't want to take the risk of that account being locked for a week.
The idea of giving a random website (in that I don't have an account/relationship with them) a number that provides direct access to my paycheck gives me the shivers.
You could do basically the same thing with ACH. If a payment service asked you to enter your routing and account numbers, would you be OK with that? I see it as the same thing.
As a non-USAsian, I'm always puzzled by the American's paranoia about their bank account details.
In most countries, bank account numbers are effectively public knowledge, and appear at the bottom of invoices and such. The trick is that with this knowledge you can pay money in to an account, but you can't get it out - for that you need authorisation. This makes paying via echeck or direct credit very easy.
Am I right that in the US you can get money out of an account if you know the account number? If not, why the secrecy about your bank account numbers?
Actually, you can't just take funds out. How would you do that, counterfeit a check and commit fraud by cashing it in? The bank ATMs/teller machines would reject that check and you'd find yourself in prison very quickly.
1) ACH. Everyone has mentioned that already. I'd need routing and account number, and likely need to know if it's checking/savings or business/personal. Like they've said, everything that I can find on a check. You could contest it for ~ 60 days, but you'd have to sign something at the bank, and you're out the money till you do.
2) Drafts. They're like checks, but not. Some health clubs (Curves, iirc) do this as well as some other less reputable businesses. Basically, once you sign an authorization (that they keep on file, not like it gets passed to the bank or anything), they can print a check like thing and put some specific language in the signature block area, and deposit it. Typically, this is done in bulk. Often times, it's then immediately converted into an electronic equivalent check (Check21 law) and then deposited in one big file. Return rates on these are astronomical. Most banks won't touch them. They should die.
What service allows you to specify a debit from an account that's not authorized, in hte US? No bank that I've even used provides that, nor does an online service or API without first authorizing a debit via ACH with the deposit confirmation.
deposit confirmation seems to have disappeared. I pay several of my bills (including rent, kind of a biggie) via direct withdrawal and never confirmed the account. Just went to a website one day, typed in some numbers, and clicked pay. (oh, I did have to mark the checkbox that says "I authorize this payment", but that doesn't seem like foolproof security to me.)
I'm no expert by any means but aren't the account number and routing number both printed on the bottom of every check? Are you saying that simply giving a check to someone compromises your checking account?
Yes, they are printed on the bottom of checks because they are the information that allows conversion of the check into money. Yes, giving a check to someone compromises your account. You're trusting the other person to do nothing other than withdraw the amount on the check, but you're giving them enough information to withdraw whatever you have in your account.
Remember that the person you're replying to said "which, honestly, I know nothing about".
To remove money from a US account, you also need authorization. The trick thieves use is to lie about having authorization. In that case, it's fraud.
I don't know of many fraudulent transactions that can't be reversed. Even fraudulent/unauthorized wire transfers can be reversed. The bigger problem is the hassle that comes with losing access to cash while the situation is resolved.
Can someone with actual banking knowledge correct me where I'm wrong and clear up this confusion?
It may be a historical thing. Whenever you get a receipt from an ATM or a store, your account number if blocked out (so you end up with "XXXXXXXX9585") for privacy reasons. I honestly don't know dangerous exposing my account numbers would be. Consumer protection laws can be hit-or-miss (or, in many cases, just plain missing). It's easier to just be careful.
They're obviously taking a loss on this (due to credit card fees) if the recipient gets the full amount sent. So this must be a loss-leader that's building up to something else where they expect to make a ton of money.
That "something" is most likely just "replacing cash and cards", but will be interesting to see how it plays out. It's a bold move regardless.
EDIT: I meant debit card transaction fees, not credit card fees.
In my Canadian city high-volume, low-price businesses such as independent fast food places take debit only since credit card charges would remove a good bit of their margin on a sale.
Square has had a system called Wallet for several years where if you enter a store using Square, and it detects your phone in the vicinity, you can "pay by name." You walk up to the register, say "I'm John Smith," and they tap your name on the Square register to check you out. No need to take your phone out of your pocket.
Perhaps this is just an attempt to backdoor people into becoming users of Square Wallet. Give away person-to-person transactions for free, get a massive user base for business-to-consumer transactions and charge the businesses for the use of your network.
I believe that Amazon Payments is the only system that lets you pay someone with a credit card, although it's limited to $1,000/month (otherwise people abuse it, sending cash to each other to rack up points on their credit cards).
I thought that there were now ways for payment processors to flag that a transaction is not supposed to earn points? (eg. balance transfers, cash withdrawals etc...)
Otherwise I could deposit $10,000 from my credit card into my on-line gambling wallet, then withdraw it, repeat...
The better example is the scam people had going for a while where you could buy $1 commemorative coins (e.g., http://en.wikipedia.org/wiki/Sacagawea_dollar ) from the US Treasury for $1.00, with free shipping (the mint made many more of them than the demand, and wanted to get rid of them). Some people bought $100k worth of coins on an Amex card and kept the miles (only problem with that is depositing a zillion coins with local banks). That's now been shut down if I'm not mistaken.
I challenge you to find a website that will let you charge $10k into an online gambling account from a credit card. And any that do exist will charge fees higher than credit card rewards in most scenarios.
But yes, you also will not earn points on balance transfer transactions. But they typically are processed via ach.
Because you don't use gmail? Because your target doesn't use gmail? Because you're already a square user and not a Google Wallet user? Because you'd like to use a debit card without paying a fee? Because you like the letter S better than you like the letter G?
I'm pretty sure Google Wallet in Gmail lets you send money to someone not using Gmail. But you are correct. I guess it's a good solution if you don't want to deal with PayPal/etc. when you happen to use your own email setup or Outlook/Yahoo/etc.
It has nothing to do with being edge-cases like "if you're hosting your own email thing". Personally, I just like to limit how many of my eggs are in one basket, and I already have a lot of eggs in the Google basket. I like my bank's own built-in system for this right now between me and their other customers, and for everyone else I use venmo. It works great, and I have no real complaints about either system.
But really I don't need to be talked out of using Google's like it's the default, and I'm not clear on why you do. I don't really get the "why do you use your own favourite toy instead of my own favourite toy?" crowd
Not true. We only charge the sender to send from a credit card. If you send from a bank account or from the funds that you've already received, it's free.
Thank you for clarifying! Looked further into it here [0] "Receiving money is free no matter what." However, the text "You can add other payment methods like credit and debit cards, and a 2.9% fee per transaction (minimum $0.30)" is still a bit unclear.
The products are marketed very differently and have different features. Google Wallet is explicitly hoping to replace your wallet, focusing on loyalty cards, NFC payment, online shopping, and fraud monitoring, in addition to simply sending money to friends.
On the other hand, Square is positioning Cash as a dead-simple way to send money to friends, whether or not they've download the Latest Social Micro-payments App™. Its plumbing. Long run, they are obviously gunning for cards-on-file to support their merchant tools, where they make money hand-over-fist.
Who knows...Square Cash might expand into something that resembles what Google Wallet is today. They seem to be starting with the basics.
Besides that, Google Wallet is available in all 50 states, while Square does not allows residents of Hawaii and Tennessee to send money (only receive it).
It's still in slow rollout stage. If you want to try it now, I'll send you a cent and it should be enabled for you. (You must be in the US, read the TOS, etc.)
And composing an email to send someone money is secure how?
What stops someone from spoofing my email address, CC'ing it to cash@square.com, and clearing me out? And if someone does get in to my email account I'm toast?
Apparently, for suspicious activity, they'll send you an email back confirming the transaction. I would hope that most large-scale modern email services somehow sign emails to vouch for their authenticity to avoid email spoofing. I'd be curious how they handle dumb senders (I'd assume with a verification every time).
> Square verifies each Square Cash email to authenticate that it comes from a legitimate sender. For added security, we send you a text confirmation each time you send Cash if you have linked your mobile phone number.
Surely it's the other end that is insecure. If this starts growing then sniffing unencrypted emails from Square offering "sign-up to receive your money" sounds profitable enough to be interesting to some actors.
Brilliant solution, but can anyone tell me how they avoid fraud? I just sent money to a friend, and back. It worked fast and flawlessly, as expected. Supposedly money will be posted to my account in 24-48 hours. All good there.
Now, how can they make sure that the email is genuine and wasn't spoofed? Sure, they can check for white-listed domains and SPF records, but still seems fairly weak process. The FAQ [1] doesn't say much either. Human validation is even worse.
It helps that the send receives an email confirmation with the transfer, but you may not check the email before the money is posted. I guess they're pushing the onus of the proof to the receiver -- after all to receive the money you have to have a bank account and a visa/mc debit card.
Whatever the security mechanism, it's a brilliantly simple solution. If it takes off, it'll quickly replace Dwalla and other micropayments.
I'm completely taken back by the simplicity of this + that it's free. So many times have I paid a contractor via PayPal as a "friend" to reduce PayPal's fees.
Moreover, why hasn't a bank or credit card company done something like this yet? Amazing how the solution disappears into a cc: address line and unique link in your email.
That being said, I have a question: Here in Canada, I can send an email transfer of funds from my bank account to my contacts by simply logging into my bank online and specifying the email address of the recipient. Does this type of system exist in the US?
Chase Quickpay works like this. While it is limited to another Chase customer (I believe), I don't need to know their account number, just their email and I can send them money directly. The other person can then login to their account to claim the Quickpay and the money is transferred immediately. The transaction is free, and I am notified when the money has been accepted.
Agreed. Once this comes to Canada, it'll kill Interac Email Money transfers (of which my plan only allows two free per month, and is not nearly this simple).
I think OP meant the opposite. This is cool, but the incumbents in Canada have already done it, and it's more trustworthy (it happens on your bank's website) and 'good enough'. Even if the tech-savvy switch to Square, the average bank-user will prefer to use INTERAC. At best this could pressure banks into giving away more free INTERAC transfers with their paid accounts.
Residents of 48 US states have the ability to send and receive Square Cash. Currently, you'll be limited to receiving Square Cash if you live in the following two states..
It sounds great, but I'm always left wondering what the angle is for free services. Will they make their money off of float? Is it something to do with the way debit cards are charged?
I think linking accounts to debit cards is pretty valuable on it's own. It opens the door to making payments for a lot of people much easier down the road.
Like how Paypal encourages you to tie your bank account to your Paypal account; they get to charge merchants the credit card interchange rate while taking advantage of the low ACH funding risk on the buyer/purchaser side.
I just scoured the site and saw no limits for receiving through square cash. I can't imagine that this is actually the case; does anyone have any idea what the actual policies are?
Seems a little scary, to be honest. It's plausible that malware (or even just somebody physically using your phone or computer for a minute) could generate and perhaps send these emails on a user's behalf (and then delete the confirmation and the "sent" copy, depending on the mechanism). If I were ever to use this service, I'd surely use a dedicated email address that's harder for me to casually send mail from.
I was talking to a colleague about how Dwolla implements a similar pay network. I don't know Square's implementation. It varies with different P2P providers. Some create their own 'rails' in the backend (PopMoney, etc.). Some follow the 'clearing firm' / brokerage model of the commodities / equity markets. They have accounts in all major banks with deposit (debit) accounts and simply do an inner-bank transfer on both ends on your (and your recipient's) behalf.
That got me thinking though. It's 2013. The ideal solution is not to be beholden to any centralized authority or group of 'clearing' accounts for routing. The ideal solution is security but flexibility and distributiveness. The ideal solution is a network of trust with similar 'hubs' / 'clearing firms' that one can choose to route through automatically, have all the routing be automated for you via solid protocols.
There is the chance to create clusters of payment routing networks that are more elegant. It would make money movement so much more liquid in our world. And would be a really great thing.
Maybe Square is the beginning of that solution. I hope it gets even more distributed though. It's mostly companies leading the way for this. And good for them. But there's another possibility: something very open, but given the right protocols and architecture, very secure.
There is no incentive to create such an architecture other than the amazing world that it would mean where you could travel to different countries and authenticate seemless money transactions to whoever had a phone or email endpoint (again there would have to be name servers + some sort of money equivalent of SMTP + TLS / chains of trust + distributed clusters of shared 'clearing' bank accounts + routing algorithms to these accounts, etc.).
But that didn't stop Tim Berners-Lee or the early internet folks....
Looks like the help in only available in US English. If that is the case, and it looks like they are using some sort of CMS, then it should be fixed up and and content fallback to something useful rather than a 404. This is a link off the landing page on a site with very little content, pretty unacceptable in this day and age (but for now there is the benefit of doubt to assume you are doing a beta run for feedback).
I think they've done something quite clever by (I infer) getting people to join up when they receive money. Venmo puts up an unnecessary wall by requiring that the payee sign up before they can be paid.
A point about spoofed email, Square always seems to ask the sender for a confirmation whether the email was spoofed or not. I tested this by sending it legitimately and through an unauthorized email server.
The only thing that was concerning was when I sent a spoofed email, the receiver was able to know the sender name (cash account name) – "ABC is about to send you cash". Very minor but it allows anyone to find out your name provided they know your email address.
Square Cash is definitely some sort of loss-leader, but for what?
Most obvious long-run plan would be for user/debit card acquisition (which has lower interchange rates) to support their bread and butter business (merchant tools) as this would increase their profit margins by reducing processing expenses, especially since Square simply charges a single rate to merchants...
There's a similar thing in Sweden, called Swish (https://www.getswish.se/). But it's a cooperation between banks, and you link it with your phone number, the transfer is instant, you have to identify using something called Bank ID.
Square Cash seems nice, but I prefer the approach of Swish.
I've been using Square Cash for a few months, and it's worked flawlessly. (A friend used it to send me money, and I jumped on the bandwagon; didn't even realize it was pre-release!) Square is attacking the consumer payment market from all angles, and I think it has the potential to become one of the biggest companies of this bubble!
This needs an out-of-bound verification for the transfers. At the very least, it should confirm every new recipient - "Did you really mean to send $500 to yahoo@google.cc?"
Seriously, I am all for the simplicity of the system and the flow of the narration, but where the heck is the explanation of how this is not trivially exploitable?
I get that this is cool because it doesn't require an app or anything to work. But I just don't see this replacing venmo for me. Albeit venmo requires a bit of set up (so does this) and an app, but once that's in place sending money is quicker and easier and I don't have to remember to cc anyone. Thoughts?
I really liked the idea. Its really good for all the parents who are not so tech savvy and can send money this easily. And its all free ? I don't understand why ? i mean I am not saying that it should be paid of something but being an entrepreneur myself I would love to know how you guys are making money on this.
Not talking about the product for a moment. There are a lot of not-so-great "flat design" websites out there, but Square Cash's is one of the best I've seen. I keep seeing these loud sites with full-width graphics and animations on everything. This is how it should be done. And responsive to boot!
Interesting, I currently use Venmo, which ties into Facebook accounts so it's super easy to find people. But Venmo is only free is you tie your checking account.
With this I can tie my debit card (which I guess is the same thing). So, I don't seen any real positive benefit over Venmo IMO. Can anyone else point anything out?
I think thats an awesome idea, in the current world where the cash is not used as often as before and its hard to just send money to your friend or relative without dealing with long forms, swift codes, routing numbers etc...I am just wondering how did they manage to make it free? Any ideas?
I love and trust Square, but would be extremely hesitant to trust my debit card anywhere online. Someone going on a charging spree with my credit card doesn't bother me as much as the thought of someone stealing this number and taking the money directly out of my account.
Anyone know if this will work with international debit cards?
E.g. if I have an debit card with my account at a Jamaican bank, can someone from the US email me cash and it arrives instantly or is this just a US service? Can't find any details about this on the site.
I'm guessing it's a US-only service because Google Play refuses to let me install it, saying it's not compatible with my device. The only reason I think of (I have a pretty recent phone!) is that I'm not in the US.
I don't really care about that new feature, but man, I love that background video playing with the animation.. Is there a library to help create that? Seems like it's a <video> with some animation css on top of it?
I'm not quite sure how to sign up. When I go to "Account" at the bottom right and enter my email address, it takes me to the purple "how to sign up" section, but it's not clear what to do from there.
This is similar to competing services on venmo and paypal. I believe they make money on:
1. The "float". The interest that they make from the period that people have cash in their accounts. If an ACH takes 4 days to complete, they may take 5 days to complete it, and collect a day's worth of interest
2. The halo effect. Now you're a Paypal/venmo/square user, and therefore more accessible to vendors using them as a payment processor. Those vendors pay the service transaction fees.
I cannot believe this is happening. This is extremely cool...
But didn't we agree that email wasn't a safe protocol?... How long do I have to cancel a transaction? Are they going to honor the fake ones like Visa does?...
Echoing the other commenters: this is really great, but I'm a little weirded out because it's free. I'd like for them to be upfront about why it's free, since all the alternatives aren't.
This looks pretty interesting, but, as everyone said, security sounds like it will be a huge issue.
Will there be other methods of verifying a user for email, now that it can be linked to your bank account?
I was just impressed by how the colors of the buttons in the top left corner (when idling at the section with the video background) is synchronized with the color theme of the video background.
Hands down one of the best interfaces / UX I have ever used. It's about time someone made sending money really simple and free. Can't wait to see how this service matures.
I remember seeing this talked about a while back and not thinking much of it, but the details look slick. Sending money with no signup required seems pretty awesome.
If they are really losing 0.05% + 22¢ every transaction, then Venmo should use Square Cash to make a lot of large transactions, forcing them into bankruptcy.
how does the email source verification work? SPF and DKIM checks?
any idea how they can credit a debit card? I'm guessing they rolled out their own solution with a few of the biggest US banks, having accounts at each one?
Seems to work amazingly although I'm a bit concerned about the security. A friend sent me $1. I get an email from square, link to website where I entered my debit #, expiry and postal. It deposited directly to my debit card (I didnt even know you could do that). The deposit already arrived!
"Checking Card Adjustment POS Pin (Credit) $1.00"
So I sent him $1 back (to: my friend, cc: cash@square.com, subject: $1). And it instantly sent it to him. I didn't have to verify my details or anything.
I'd feel a lot more comfortable if there was a security blog explaining how they are validating that I indeed sent the email and it wasn't simply spoofed.
Edit - I did this from Gmail which I presume authenticates all of the emails via dkim? I'm guessing this won't work as automatic for other providers?
Edit2 - Just attempted with another friend and had to verify manually. The automatic-authorization appears to only apply when it's between two previously validated parties.
So one day you get an email that you got $100 and all you need to do as a recipient is to click on a link and enter your full credit card details? Sounds like a phishing paradise.
In the US at least, these are not covered by the $50 limitation on losses on unauthorized transactions. In practice the banks often honor that anyway, but AFAIK they don't have to.
In this case however, it appears the bank could argue that when you got phished, you gave access to a third party.
Wow. I would never do this. It's a good practice never to use a debit card online, and it's unclear to me whether the service here offers any enforeceable assurances to participants.
I just found a major limitation with this thing. It blocks payment from any prepaid Visa/Mastercard - even reloadable cards attached to virtual checking accounts that support ACH (payroll cards, Netspend, etc). That eliminates payments from a huge section of the population.
Another issue: if you make a mistake on the initial email, and want to send a different amount, you're out of luck. When you send a corrected email from the same address and go to the payment page, it adds any previously unfinished transactions from your email to the amount being sent, with no way to cancel the mistaken one. So just never make a mistake, and never do a test transaction you don't intend to finish, or you'll be required to finish and pay for all of it when you finally do have the correct amount and want to send a transaction (which you can only send with a small subset of the debit cards in existence).
These payment companies are always introducing interesting new things and then they hobble them with basic oversights and fundamentally flawed policies. In the last hour I've gone from excitement to disappointment with this service. It had promise based on the description, but this particular service (probably not Square itself) will fail very quickly.
>> I just found a major limitation with this thing. It blocks payment from any prepaid Visa/Mastercard - even reloadable cards attached to virtual checking accounts that support ACH (payroll cards, Netspend, etc). That eliminates payments from a huge section of the population.
You know what's at least as hard to track and prone to fraud? Actual cash. I really dislike the idea that e.g. children shouldn't be able to pay for things over the internet because their identity can't be verified. Let's see some more support for prepaid cards.
Are pre-paid cards the only option for children in the states? I'm in the UK and I've had a debit card (attached to a bank account) since I was a young teenager.
I had a checking account under my Dad with a debit card when I was a minor. When I turned 18, I just called them, and they made it my current checking account. I'm not sure what the difference was.
I hate to break this to you, but they can already buy things in physical stores.
And if you legitimately have a $20 bill, I can walk into a store, represent that it's mine, and buy things with it, never encountering an obstacle along the way. That's the same fraud you're worried about in prepaid cards.
Of course they can, but as a parent, I find it easier to supervise their store purchases than their online purchases, because they have to physically go there, and I can notice it.
Frankly, if you're that interested in tracking what your children have and haven't bought, online purchases are likely to be easier, in that they come to your home through the mail.
The general categories of things that children are commonly restricted from buying:
- Drugs. These are all black market, so availability of prepaid cards is unlikely to change how they're bought.
- Alcohol. I've never tried to buy this online; I know eBay Now wanted to sell it and concluded that the cost of legal compliance was too high. Even assuming they could find mail-order booze, it would arrive in the mail, easily detectible.
- Pornography. This can be consumed directly on the computer, raising possible detection issues. However, if you're afraid of children buying it over the internet, I've got some very bad news for you...
I also wish the limitations would disappear, but there are two reasons keeping them in place:
1) Government wants to ensure it can track all digital transfers (many pre-paid cards require activating with SSN)
2) Failing to approve certain transactions is the equivalent of a financial firewall because banks and payment processors know they haven't hardened their servers enough to prevent another one of these: http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-...
Now, if policy-makers were convinced the online-children-purchases market were bigger than the drive-by-ATM fraud, we would see the rules changed tomorrow.
I didn't even bother trying. I knew it wouldn't do what it said because I'm not in America. I've sent cash to other countries before but this isn't cash so it can't possibly work. IT would be nice if they clearly listed who can't use it to save people's time.
Just a note, for most countries, the best non-cash way to send money is an international wire transfer (sometimes called a telegraphic transfer). This is _not_ western union. which is ludicrously expensive, it's done bank to bank.
Every international wire transfer I've seen offered by my banks has costs at least $15 - $25.
Here in NL, its so much each to use send someone money: They tell you their IBAN, you grab your Random Reader and enter you pin and get a secure code to authorize the payment, and it's done. There's not even a market for companies like Square, since the banking system is designed to handle these typical situations. People here look at me like I'm crazy when I say that if I want to give someone money I either have to use PayPal/Square or just cash.
I did notice that there is a cancel link in the original email - a very small link at the bottom - but they should make it possible to remove any of the transactions it tries to compile together on the sending screen. Having to go back, find the email, and hit the cancel link after you realize that they are including transactions that you had no intention of completing isn't exactly intuitive. There is also nothing anywhere that says that this is the procedure required.
" and hit the cancel link after you realize that they are including transactions that you had no intention of completing"
Why are you starting transactions you don't intend on completing anyway? I haven't tried it, but from what I've read so far the workflow seems perfectly reasonable for the vast majority of transactions. It's not like when I pay a friend the 10$ back he fronted me last week in the bar when I forgot my wallet, that I give it to another friend first and say 'hold on to this for a bit while I ponder whether to actually go through with this 'transaction''.
It also doesn't work with pure ATM cards that lack a Visa/Mastercard logo. Maybe I am a bit over-paranoid, but I don't like the idea of staring at a zero bank balance while some fraud department promises to fix things up real quick now if I just stay on hold.
I actually laughed at that. Every bank here is the same and we supposedly have some of the safest banks in the world. Im limited to an 8 character password, and the other banks here are little better. New Zealand.
It's safe in NZ because even with access to your internet banking, a thief can only transfer money to another NZ account and they're fairly reliable at verifying the identities of account holders.
Which bank are you with? Having had accounts with 4 major banks here (Kiwibank, ANZ, Westpac, ASB), I can confirm that you are allowed passwords more than 8 characters.
Also, several of them offer a second protection level for logging in.
> The automatic-authorization appears to only apply when it's between two previously validated parties.
This doesn't feel quite right, as you describe it you'd validated that it's ok to receive money from them, not send it. I'd be more comfortable if it was validated in some way when you first send something to a person. Receiving money doesn't mean I trust a person.
I could send you a dollar, and when you accept it I could fake an email back giving me 100. I hope this only happens with signed emails.
About DKIM, does it stop someone from repeating an email? Could I fake an identical email that has been sent before? If so, that's something that normally wouldn't be an issue (duplicate emails aren't really a problem, you can't inject any information, change links to dodgy sites) but would be huge for sending money.
EDIT - from the DKIM site
> DKIM does not protect against re-sending (replay of) a message that already has a valid signature; therefore a transit intermediary or a recipient can re-post the message in such a way that the signature would remain valid, although the new recipient(s) would not have been specified by the originator.
Overall though, extremely impressed with Square's offering and it was also instantly debited to my account. Curious to see if the value increases to a somewhat significant amount if this "instant transfer" translates into 1-2 business days.
Even if Gmail is the reason I hope they'll add an option to verify the transfer anyway. It looks like something that is easy to use other vulnerabilities to mount an attack.
There's a pretty straightforward SMS confirmation thing you can enable by logging in to your Square account. Tested and it seems to work well. Also note that the weekly transfer limit is $250 if you don't verify yourself, so the risk is somewhat limited.
Out of curiosity: Do you know whether the $1 is listed as "available funds"? Some (all?) banks list pending transactions like check deposits and include those funds in your account total, but then have a separate header for "available funds" that are actually usable to spend or move.
In my bank (Capital One 360, formerly ING Direct) the deposit is listed as cleared & available. The $1 I sent him back is in a pending status (and thus removed from my available balance)
This is almost exactly the same system as Interac in Canada. Will work well until the fraudsters figure out they can steal with it then limits will happen. Wonder what the merchant fees are and if they seize accounts for receiving an arbitrary amount of payments
It looks like how it lets you claim your money without your bank account details is by processing a refund. Don't know how they did it, but it's very cool.
I agree that security could and should be a huge concern. With your credit card you're protected from fraudulent transactions. But this is not the case with ATM. If someone gets a hold of your ATM + PIN, you're just plain out of luck.
Not sure how that translates to this service, but if something is compromised, you might just end up with an empty bank account.
The issue is also that people will just squat on compromised accounts and then nick funds as they appear. Low probability I suppose, and that's what they're betting on.
I understand the attempt to farm karma by mentioning the NSA in every single unrelated thread, I'm just surprised that this is the best that you could do. Surely there's a better story to be told in monitoring financial transactions (which they actually do) than in pretending that they're going to steal the $8 you sent to your buddy for beer.
I'm not sure the source of your frustration. The idea was to be funny and hint at the fact that email is not that secure. I wouldnt feel secure sending more than $8 on this platform... How am I to know that my email (or packets as part of the transmission) are 1) Encrypted, 2) Not tampered with 3) From whom they claim to be from.
email guarantees none of those traits 1. Encryption from server to server is optional, 2. Who knows how many MXs are hit until it finally makes it to my mailserver 3. Mailservers have know authentication mechanisms that ensure someone cannot send mail on my behalf.
Yes, well configured mail servers will make attempts at these things through SSL/TLS connections, doing direct connections only (no proxies/relays) and by only accepting mail from servers listed as MX servers or with SPF records etc.
Actually, I think that "better story" is that we cannot and should not entrust proprietary and closed systems with our vital information. Just like how "security through obscurity" has long ago been proven untrue, so too should we stop using non-free software to do our tasks, especially highly important ones with sensitive data.
- Take an existing known medium (in this case email) and makes it way more useful.
- They didn't try to build a bunch of new UI for connecting your Facebook so you can find and invite and pay your friends, paying out to your card, etc.
- It magically hides the messiness of an enormously complex problem (fraud, different types of debit cards & banks all over the world) behind a very simple interface.
- Unlike every other P2P payment system, I can actually sign up and receive money (or convince my friend to) using only what's in my pocket (debit card)... not hunting down ACH/wire details.