Recently our Company has had major Issue with the Square Company, Unknowingly our credit card was processed using their equipment at a restaurant that our CEO has visited. When Square Corporation processed our credit card they also sent our Corporate Credit Card information through email with other useful information that could be used in Social Engineering Scams and on top of that to what appears several other people through email that ARE NOT RELATED TO OUR BUSINESS.
Now being a company that does internet security, infrastructure and property security auditing, online safety, & promoting safe ways in detecting fraudulent online businesses and websites while shopping online, We have found some very interesting things about this so called legit United States based Company. Some of which fit the profile of Ponzy Scheme, or a Business Front run from a basement. I’m sure this is not the case, but trying to get support and help to resolve our issue as gone something like that of an old commercial that was on TV awhile back. Some may remember a old commercial of a guy that has many phones and doesn’t answer them and when they do they just give their so called customers a run around. I believe this was a Capital One commercial, but not really sure since it has been some time ago that this was on TV.
Our company points out some of the most basic and what we call common sense things to look for when shopping online or doing business. We do this with our customers to help better protect them from scams and give them a understanding of what a business would typically do when they don’t want to deal with customer service. For example when go shopping online we all want to be able to solve our issues or returns easily and effectively, return damaged items, billing issues, etc. Square Corporation on the other hand actually fails several of these basic tell tale signs and we would consider as a fraudulent company, some sort of scam, or having a hidden agenda.
1) A Legit Business should ALWAYS have a easy to find contact phone number.
2) A Credit Card Processing Company should have a hotline for possible Fraud Complaints and ABUSE.
3) A Legit Corporate Business that has multiple locations should have these locations listed with addresses and phone numbers in the region to field, sort, and handle local complaints or issues.
4) A Legit Business would make this information easy to find for the consumer as well as their own customers.
In the following I will show how this so called company does not only make it hard to find information on their website and contact them, but also really does not care about the consumer and their customer base as they use their own customer base for their own data gathering purposes. I also will also show how the information they leaked can be used in a scam against any person unknowingly and gain access to your credit card information and use that to drain accounts.
First off what we tell our customers and businesses when dealing with anyone that has a online presence either being for shopping like e-commerce sites or as a business looking for a vendor of some sort is to look for ways to easily contact them for issues or support. SquareUP Corporation goes against all aspects of easy to contact, easy to fight fraud, and make complaints about issues.
Below you will see a capture of the SquareUp.com main page or also called the entry page. It is very common practice for Legit Businesses to have a number listed in this location on the top of the screen or a contact us link to make it easy for consumers and customers of their own to do business with them. As you can see their is no such thing that exists on this page, However in trying to be fair we do see a MENU option, but first we will check the bottom of their website in the footer as this is another common place to find contact links or phone numbers for fraud and complaints.
Now looking at what is called the bottom of the page or also called the Footer, again we do not see any easy way of contacting any fraud department or phone number to fix the issue of our corporate credit card information being emailed without our permission to people we do not know and are not related to our business, however we do see here Company Information, which again we will give them the benefit of doubt but at this time I would suggest to any of our customers not to use this company for any reason, and now to ask all places they shop or eat at if they use the SquareUp Credit Processing and leave the establishment as you or someone else will be getting an email with enough of your information to use against you in a Social Engineering Scam which I will cover later as I go through this ridiculous attempt to remove our information from their systems which we never agreed to being used against our knowledge and being leaked to again other people we do not have affiliations with.
Now looking at the Corporate Information page and is very common practice for a Legit Company having multiple and regional offices that would make issue solving and contacting them easier, however they do not have anything except a mailing address for their office in CA. In my opinion this is a big joke and so far in trying to remove information and people from their systems that are not even affiliated with us and are getting emails containing our corporate shopping and eating habits is just plain ridiculous. This would be another typical and industry standard area for any legit business to make complaints to a fraud department or security team, however we see they have other offices but they also do not have addresses or phone numbers to contact locally. Is this company actually for real, or is it just a bunch of thieves hiding behind fake business fronts? I’m starting to wonder what their real business is? Is it collecting data from unknowing customers and then using whatever email address they feel fit to send this information out to? This is a major Privacy Concern to me and should be to any establishment using their Credit Card Processing System.
Well since all of the above attempts in finding some sort of contact number for Fraud and complaints on how they are leaking our Corporate and Private information to people that shouldn’t have happened. We go back to the main page and to the Main Menu and which is also typically a very common place and that legit businesses would list a Contact US or Phone Number, However once again no such luck, Hmm not sure about you but I don’t have a lifetime to spend on finding places to find contact numbers with a business that is so called legit and may want to do business with or file a complaint about our business information and what we buy or do being leaked to anyone we don’t know. These are very big Privacy Concerns in our opinion, Well again I will be fair and do see a Support Link and Sales. First we will go to Support since this would be a common place to start a complaint process. Plus we are not looking to buy anything nor do I want to sit on the phone trying to talk to some robot automated system to get to some person that is also robot like that just wants to sell me services we don’t want. We just want our information to stop being emailed to the wrong people!!! Information again mind you that can be used against the general public in a Social Engineering Scam!!
Well appears the Support link is as useless as this Company Appears to be and no way to dispute our information being leaked to the general public about our companies shopping or restaurant habits without our knowledge and without our permission to do so. As you can see in this screen shot you must be a customer and in my opinion a pretty worthless company which has very manipulative business practices.
Our company has never signed up to have our information and shopping habits to be emailed to us or anyone else by that matter as this again is MAJOR PRIVACY concerns and is very intrusive as well. Not only to us as a consumer, but as any business that deals with this company and agrees to such practices that concern such privacy issues and ability to have information stolen. Now with this in mind do these businesses using these Processing Systems now automatically get our email addresses without our consent so they can spam us too? Now doesn’t this open a business liable for any business using such a ridiculous and uncaring company tactics that just emails who ever they feel fit about your personal shopping habits and credit spending habits without your permission. While also displaying enough information in these emails if sent to the wrong person or people that can be used in a Scam against you?
After many hours we finally are getting hold of some base level tech support person that obviously is oblivious to any security issues, and this companies security team is as dumb as a bucket of rocks to what problems their mistakes can lead to in consumers loss of monies, credit card theft or even possible identity theft. I had to laugh it off cause I couldn’t believe the comments and moronic comments made about the situation. Did this companies security team get their training from a cracker jack box?
Below is an example of the information they send out automatically and without your knowledge to who ever they feel fit, and who they have on records as possible links to your credit card. Our corporate card had email addresses to people who are not even in relation to our business and some we don’t even know as customers and have relationships with. Also since this leak has happened we have had some very interesting calls and hangups. Is this coincidence? In my over 15 years of experience in tracking hackers, bot networks, crackers, and social engineering techniques I THINK NOT.
Well here is what they sent out to whomever they feel fit, Although to the regular person this may not seem to be a lot of information and could very well be seen as harmless, however to a Hacker, Cracker, or Malicious Individual this gives enough information to do some damage and steal your credit card information. Not many realize that receipts can be used against us. For some unsuspecting individuals this receipt offers enough information to create scare tactics and social engineer the target and also makes it easier if this was emailed directly to a malicious persons email address or was found in a hacked email account.
BTW I have changed the name, Card Trans #, and Card last digits.
Now some are probably thinking to themselves, What The Hell is Social Engineering? Why the hell should I care? Well this is a tactic used by people with malicious intent. Some people use guns and rob people, or break into cars and houses. Social Engineering is in some sense using scare tactics to get people to make rash decisions and choices. Also using friendliness and information they have gathered about you to make themselves seem legit and concerned about you.
Some examples of common Scams using Social Engineering
- Many people have come across popups on the internet that say ” YOUR COMPUTER HAS BEEN INFECTED, CALL US NOW!!! And Have a $100 Money card available for support or your computer will delete all data or self destruct.” At this so many people freak out and go O MY GOD, I can’t lose my data or my computer, I can’t afford a new one. Then unfortunately some make the call and spend the money on the card and get scammed. Sometimes also giving these malicious people access to their computers where they store all their password lists and account information which leads to more theft. We see this on a daily basis and try to make people aware of these tactics, These are Scare Tactics to scare an individual and get them to not think straight and make rash decisions.
- Another one that many of us hear and get calls for regularly is tactics where scammers will claim they work for Microsoft and say that your computer is infected and you need it fixed or your internet will be shut off or something to that effect. Another Scare Tactic
- Another very common one is the IRS is gonna arrest you, This we have seen as a increasing Scare Tactic on the rise.
Now with this in mind now think about the receipt above. I’m gonna go through a very basic script which I see people fall for all the time in security audits of corporations.
Now lets say BOB MCBURGER is actually an elderly man. He is not all computer savy as well. Below I will use BOB as his responses and MindHacker as the person making the call that’s going to use Social Engineering to gain full Credit Card Information.
First question you may have is how did I get his number. Well to make it simple cause their would be many tactics and ways and at times hours of work in tracking the particular person down, but scammers have plenty of time and look to drain lots of money to make sure its worth their while to find Bob Mcburger, but lets say he has a Facebook account and he is very trustworthy person and doesn’t have his profile blocked to the public, so I can see his location, and after I see his phone number that he happens to list on his facebook account page. I can easily see that the restaurant he visited and his phone number are in the same area. Well BINGO I must have the correct BOB and will make a call an try the scam.
- MindHacker – Good afternoon may I speak with Bob McBurger we have a security concern about his credit card he used recently at Big Bob’s Burgers & Fries?
- Bob – This is him, How may I help you? You say security concern?
- MindHacker – Yes Bob I work with Square which is the credit card processing company that the restaurant you visited recently. We have noticed that your card was run several times, One time it was run for $224.87 that night and also charged several other times making the total come to $3,000.
- Bob – O my goodness, no I only used the card one time.
- MindHacker – I’m sorry to hear about the discrepancy Bob, but let me help fix this issue and this is our reason for calling.
- Bob – Thank You
- MindHacker – I will need the following information for our security team, I see the card you used ends in 9999. Is that correct?
- Bob – Let me grab my card and verify. Yes that is correct.
- MindHacker – Bob could you please verify the first sets of digits on your card.
- Bob – Yes, I can’t believe this has happened, I can’t afford such a mistake. The numbers are 1234 1222 2122 9999
- MindHacker – Thank You Bob that is what we have listed, Could you please confirm the expiration date?
- Bob – 01/19
- MindHacker – Bob that is correct and what we have here on file as well, just some more information so that we may clear this up for you. I will need the CID number on the back of the card.
- Bob – The CID is 9821
- MindHacker – Ok Bob just one more bit of information then we are all set and able to clear this misunderstanding up and return your overcharged funds. I will need you to provide me with the address related to your card and mailing address if its different so that we can send you the proper paperwork for your bank if any further issues occur.
- Bob – Ok – Address is 100 Winter Rd. Gotham City, Mars, 10002
- MindHacker – Bob Thank You for your time and we apologize for any issues this may have caused you. Have a good day.
This is just one way a emailed receipt into the wrong hands can cause anyone some issues. It is not typical of many thieves to go looking around through the trash for this information anymore, but not uncommon as well depending on where you live. We live in a digital age however where it is much easier to break into email accounts, or use man in the middle attacks, and have robots on the internet to do the dirty work for us, but when we have a company with such moronic email policies and no ability to fight to protect ourselves and our privacy from them automatically emailing our receipts that show our shopping and eating habits this just makes it worse and sick to my stomach, Too many people in the cookie jar per say and it opens many of us up to more scammer calls and people having access to otherwise private and personal information about us on the internet. Making our private lives more public then any of us expected and without our control or ability to fight against such abuses.
We would love to hear about your issues with Square As well and make it very public that the practices of this company go against our civil liberties and privacy. We as a society should not be subjected to having our information emailed out automatically to other people without our knowledge and we should be able to make this company feel the consequences of their actions. They should also give us the ability to block ourselves from their systems.
It is one thing if we lost our own receipt and have scammers call us verse a company digging on the internet to find out our email addresses and using them to their benefit, specially when our credit cards are not even linked to the correct email address(s)
Their should also be statements and privacy statements listed at all establishments that use this credit card processor.
When we find scammers we like to make it known to the public and we will waste their time as much as they do ours with their lies and deception, Be it emails, Fake Calls, Ect, We all need to be more aware of what is truth, what is Safe, and what is lies.
I hope the above has given some insight to some. The more we teach the better society will get and the safer we all become.
We will keep fighting this company that uses other people emails to send our receipts to and WE WILL NO LONGER VISIT ANY RESTAURANT OR ESTABLISHMENT THAT SUPPORTS THIS COMPANIES UNETHICAL PRACTICES. WE WILL ALWAYS ASK “DO YOU USE SQUARE or SQUAREUP FOR CREDIT CARDS AND IF SO WE WILL LEAVE…
Send questions, stories, and comments to Support *at* zsysnet.com