293 comments

[ 2.6 ms ] story [ 244 ms ] thread
I remember seeing this talked about a while back and not thinking much of it, but the details look slick. Sending money with no signup required seems pretty awesome.
Free. I bite, What's the catch ? I presume recruit users to use the Wallet app ?
This is similar to competing services on venmo and paypal. I believe they make money on:

1. The "float". The interest that they make from the period that people have cash in their accounts. If an ACH takes 4 days to complete, they may take 5 days to complete it, and collect a day's worth of interest

2. The halo effect. Now you're a Paypal/venmo/square user, and therefore more accessible to vendors using them as a payment processor. Those vendors pay the service transaction fees.

It sounds great, but I'm always left wondering what the angle is for free services. Will they make their money off of float? Is it something to do with the way debit cards are charged?
I think linking accounts to debit cards is pretty valuable on it's own. It opens the door to making payments for a lot of people much easier down the road.
Like how Paypal encourages you to tie your bank account to your Paypal account; they get to charge merchants the credit card interchange rate while taking advantage of the low ACH funding risk on the buyer/purchaser side.
>Free. Actually Free.

Ok now I'm confused. I realize it's probably a marketing ploy, but how could the fees on this not eat them alive?

There may be some fees for them here, but it's not like they are paying 2.7% per transaction. It only uses debit (not credit) cards.
(comment deleted)
NSA will start to deposit the cash you send, its just "Metadata"
I understand the attempt to farm karma by mentioning the NSA in every single unrelated thread, I'm just surprised that this is the best that you could do. Surely there's a better story to be told in monitoring financial transactions (which they actually do) than in pretending that they're going to steal the $8 you sent to your buddy for beer.
The guy was just trying to be funny. The NSA stuff will clear up on its own.
Actually, I think that "better story" is that we cannot and should not entrust proprietary and closed systems with our vital information. Just like how "security through obscurity" has long ago been proven untrue, so too should we stop using non-free software to do our tasks, especially highly important ones with sensitive data.
I'm not sure the source of your frustration. The idea was to be funny and hint at the fact that email is not that secure. I wouldnt feel secure sending more than $8 on this platform... How am I to know that my email (or packets as part of the transmission) are 1) Encrypted, 2) Not tampered with 3) From whom they claim to be from.

email guarantees none of those traits 1. Encryption from server to server is optional, 2. Who knows how many MXs are hit until it finally makes it to my mailserver 3. Mailservers have know authentication mechanisms that ensure someone cannot send mail on my behalf.

Yes, well configured mail servers will make attempts at these things through SSL/TLS connections, doing direct connections only (no proxies/relays) and by only accepting mail from servers listed as MX servers or with SPF records etc.

Thanks for the -4pts.

I think they've done something quite clever by (I infer) getting people to join up when they receive money. Venmo puts up an unnecessary wall by requiring that the payee sign up before they can be paid.
I think thats an awesome idea, in the current world where the cash is not used as often as before and its hard to just send money to your friend or relative without dealing with long forms, swift codes, routing numbers etc...I am just wondering how did they manage to make it free? Any ideas?
Note that it takes 1-2 days for the deposit. They must be using ACH to do this. The 'free' part is great. Even with Square, I'd be hesitant to enter my debit card number.

Planet Money recently did a great episode all about the US's ACH system and why it works the way it does.

http://www.npr.org/blogs/money/2013/10/04/229224964/episode-...

I don't think they're using ACH, at least not exclusively. You can't do an ACH transfer with a debit card number.
> Even with Square, I'd be hesitant to enter my debit card number.

Are you afraid of entering your debit card number? How do you make purchases online?

I'm going to guess with credit cards.

Credit card numbers are much safer to use online than debit cards, mostly because credit card dispute mechanisms give consumers a lot more power. If a merchant behaves in an unsavory way, with a credit card you can usually just call your bank, issue a chargeback and that's the end of it. You can't do that with a debit card.

This is wrong.

You absolutely CAN dispute charges with debit cards. The problem OP might have with debit cards could be that a fraudulent charge temporarily locks cash funds (with debit card) instead of credit availability (with credit card).

Ah, thanks for the clarification.
You're oversimplifying.

There are wide differences in consumer protections between credit and debit cards.

The list of reasons for a valid chargeback on a debit card is much more narrow than a credit card. For example, suppose you purchase a tablet online and when you get the package, you sign for it, open it, and it's a paperweight. If you charged that on your debit card you're out of luck and will have to go to small claims court. On a credit card -- especially a good credit card -- the charge would be reversed. The issue there is that you signed for the package. If you don't believe that, give your bank's fraud dept a call, and then your credit card companies.

American Express obviously is great for consumer protections but truthfully any Visa Signature card offers a competent level of service.

Personally, I would never use a debit card online (or anywhere else for that matter) and would advise anybody against it. Not to mention, you can earn some fantastic cashback/mileage benefits. My wife and I are flying next spring to Europe, first class from San Francisco, over $20k in airfare, for only $2500 out of pocket for taxes and surcharges. To earn this we've spent $40k between 2 British Air cards in 15 months.

I will only point out that you're paying for this kind of convenience in getting your money back - and the cheap flights - somewhere.
Somebody is paying for it. Maybe not (only) the person getting cheap flights.
Ted has it right. Consumers with comprimised credit pay for the benefits given to consumers that the CC companies see as more desirable. I'm not one who believes in not taking a bite at the apple when everybody else is.
Actually, that is not the real reason credit cards are safer :)

You can dispute most debit card transactions now.

Besides the "one is availability of credit, the other, real money", there is a liability difference.

It used to be, at one point, that debit card liability was essentially unlimited but a consumer's liability for fraud on their credit card was limited to $50 by federal law (see 15 USC § 1643). Debit card liability now has a maximum as well, but your maximum liability actually depends on how quickly you notify.

If it's within two days, it's $50 liability on a debit card, but if you notify past that, they could legally make you liable for up to $500.

(There are other liability generating situations that exist for debit cards but not credit cards)

As lbarrow said, I use a credit card. It used to be that debit cards offered almost no protection. I think they're competitive with credit cards now, but that may only be when you're using it like a credit card. I don't know if this would count towards my fraud protection (which, honestly, I know nothing about).

Really, it's because I use my credit card as a firewall account. If my credit card gets compromised (which has happened twice before), I have to change maybe a dozen things that link to it. It's an inconvenience, but my bank can get me a new card the next day. Worst case scenario I lose my credit card for a week or so.

If my checking account is compromised, things are worse. If my checking account gets locked, not only can I not use it, I also can't pay my credit card. I'd have to setup my paycheck (pain), rent (pain), and some other things. Then I'd have to re-link a couple of other bank accounts. While I like my current bank, I don't want to take the risk of that account being locked for a week.

The idea of giving a random website (in that I don't have an account/relationship with them) a number that provides direct access to my paycheck gives me the shivers.

You could do basically the same thing with ACH. If a payment service asked you to enter your routing and account numbers, would you be OK with that? I see it as the same thing.

As a non-USAsian, I'm always puzzled by the American's paranoia about their bank account details.

In most countries, bank account numbers are effectively public knowledge, and appear at the bottom of invoices and such. The trick is that with this knowledge you can pay money in to an account, but you can't get it out - for that you need authorisation. This makes paying via echeck or direct credit very easy.

Am I right that in the US you can get money out of an account if you know the account number? If not, why the secrecy about your bank account numbers?

It may be a historical thing. Whenever you get a receipt from an ATM or a store, your account number if blocked out (so you end up with "XXXXXXXX9585") for privacy reasons. I honestly don't know dangerous exposing my account numbers would be. Consumer protection laws can be hit-or-miss (or, in many cases, just plain missing). It's easier to just be careful.
Yes, in the US you can take money out of an account if you know the number. No, it's not a good system.
I'm no expert by any means but aren't the account number and routing number both printed on the bottom of every check? Are you saying that simply giving a check to someone compromises your checking account?
Yes, they are printed on the bottom of checks because they are the information that allows conversion of the check into money. Yes, giving a check to someone compromises your account. You're trusting the other person to do nothing other than withdraw the amount on the check, but you're giving them enough information to withdraw whatever you have in your account.
And be charged with a crime for it. That's the other part. Not just trust.
Actually, you can't just take funds out. How would you do that, counterfeit a check and commit fraud by cashing it in? The bank ATMs/teller machines would reject that check and you'd find yourself in prison very quickly.
You use the system backing check processing, ACH. Theoretically, this is similar to counterfeiting a check, except:

- these are electronic requests, so there's nothing to distinguish "genuine" from "fraudulent" ones

- you really do have all of the information that goes into an ACH payment

Really, it's much more similar to forging a check than to counterfeiting one.

What service allows you to specify a debit from an account that's not authorized, in hte US? No bank that I've even used provides that, nor does an online service or API without first authorizing a debit via ACH with the deposit confirmation.
deposit confirmation seems to have disappeared. I pay several of my bills (including rent, kind of a biggie) via direct withdrawal and never confirmed the account. Just went to a website one day, typed in some numbers, and clicked pay. (oh, I did have to mark the checkbox that says "I authorize this payment", but that doesn't seem like foolproof security to me.)
Actually, you can.

1) ACH. Everyone has mentioned that already. I'd need routing and account number, and likely need to know if it's checking/savings or business/personal. Like they've said, everything that I can find on a check. You could contest it for ~ 60 days, but you'd have to sign something at the bank, and you're out the money till you do.

2) Drafts. They're like checks, but not. Some health clubs (Curves, iirc) do this as well as some other less reputable businesses. Basically, once you sign an authorization (that they keep on file, not like it gets passed to the bank or anything), they can print a check like thing and put some specific language in the signature block area, and deposit it. Typically, this is done in bulk. Often times, it's then immediately converted into an electronic equivalent check (Check21 law) and then deposited in one big file. Return rates on these are astronomical. Most banks won't touch them. They should die.

Remember that the person you're replying to said "which, honestly, I know nothing about".

To remove money from a US account, you also need authorization. The trick thieves use is to lie about having authorization. In that case, it's fraud.

I don't know of many fraudulent transactions that can't be reversed. Even fraudulent/unauthorized wire transfers can be reversed. The bigger problem is the hassle that comes with losing access to cash while the situation is resolved.

Can someone with actual banking knowledge correct me where I'm wrong and clear up this confusion?

Faster transfers are possible. Some companies (Kabbage maybe?) are able to do same day or instant transfers without wiring.

I believe it's done by opening bank accounts at major banks, and then using the interbank transfer system which is instantaneous and only requires an account number and a name. Other services offer pushes to credit cards or debit cards using bill pay systems or blind credits.

It isn't actually that hard to move money from person to person. The real issues with this sort of stuff are: a) payments fraud b) money transmission law and regulatory compliance

Based on the comment above that tried it, your theory of transferring between accounts in the same bank (and then reconciling later) would make sense.

The Planet Money podcast noted that some banks (Capital One, BoA) offer a similar service if both ends have accounts.

Yep - Kapil is correct. Any serious payments company manages accounts in various banks and uses its internal systems to manage credits and debits at the individual account level.
They are not using ACH for this, but rather probably using the PIN-debit networks such as star, interlink, nyce and accel.
There is actually the capability to do an instant transfer over visa and mastercard networks as well, but it is somewhat expensive (>0.20) -- the pin debit networks are smaller and more willing to negotiate this sort of thing, and since most debit cards are able to process on more than one pin debit network you can get 100% coverage with just a couple of the pin debit networks playing ball.

That they are not allowing this for credit cards indicates that they are using the pin debit networks.

but they don't actually require a PIN number to complete the transaction, so that's probably now how it works, right?
> That they are not allowing this for credit cards indicates that they are using the pin debit networks.

not necessarily. you can't think of any other reasons why they'd do this?

Echoing the other commenters: this is really great, but I'm a little weirded out because it's free. I'd like for them to be upfront about why it's free, since all the alternatives aren't.
That's not true, venmo and paypal and google wallet are all free if you use ACH.
And composing an email to send someone money is secure how?

What stops someone from spoofing my email address, CC'ing it to cash@square.com, and clearing me out? And if someone does get in to my email account I'm toast?

Apparently, for suspicious activity, they'll send you an email back confirming the transaction. I would hope that most large-scale modern email services somehow sign emails to vouch for their authenticity to avoid email spoofing. I'd be curious how they handle dumb senders (I'd assume with a verification every time).
> I would hope that most large-scale modern email services somehow sign emails to vouch for their authenticity to avoid email spoofing.

Wait, what? I don't think that is a thing.

There is such a thing (lookup DKIM) but it's really only one factor of email authenticity and I'm sure Square isn't fully relying on it.
You’ll receive a reply from Square asking you to link a debit card."

So you need to confirm it (and provide a debit account) I guess - but not sure how subsequent transactions are handled.

Subsequent transactions are automatically debited without authorization.
Presumably linking a debit card only happens once, and afterward, you're only contacted to verify suspicious transactions.
Surely it's the other end that is insecure. If this starts growing then sniffing unencrypted emails from Square offering "sign-up to receive your money" sounds profitable enough to be interesting to some actors.
Hmm neat, however what benefits do I get using this when it's also built into Gmail and provided directly by Google Wallet?

http://www.google.com/wallet/send-money/

(comment deleted)
Because you don't use gmail? Because your target doesn't use gmail? Because you're already a square user and not a Google Wallet user? Because you'd like to use a debit card without paying a fee? Because you like the letter S better than you like the letter G?
I'm pretty sure Google Wallet in Gmail lets you send money to someone not using Gmail. But you are correct. I guess it's a good solution if you don't want to deal with PayPal/etc. when you happen to use your own email setup or Outlook/Yahoo/etc.
It has nothing to do with being edge-cases like "if you're hosting your own email thing". Personally, I just like to limit how many of my eggs are in one basket, and I already have a lot of eggs in the Google basket. I like my bank's own built-in system for this right now between me and their other customers, and for everyone else I use venmo. It works great, and I have no real complaints about either system.

But really I don't need to be talked out of using Google's like it's the default, and I'm not clear on why you do. I don't really get the "why do you use your own favourite toy instead of my own favourite toy?" crowd

(comment deleted)
The products are marketed very differently and have different features. Google Wallet is explicitly hoping to replace your wallet, focusing on loyalty cards, NFC payment, online shopping, and fraud monitoring, in addition to simply sending money to friends.

On the other hand, Square is positioning Cash as a dead-simple way to send money to friends, whether or not they've download the Latest Social Micro-payments App™. Its plumbing. Long run, they are obviously gunning for cards-on-file to support their merchant tools, where they make money hand-over-fist.

Who knows...Square Cash might expand into something that resembles what Google Wallet is today. They seem to be starting with the basics.

Besides that, Google Wallet is available in all 50 states, while Square does not allows residents of Hawaii and Tennessee to send money (only receive it).

Gmail "Send Money" charges a fee of 2.9% for people who don't use Google Wallet.
Not true. We only charge the sender to send from a credit card. If you send from a bank account or from the funds that you've already received, it's free.
Thank you for clarifying! Looked further into it here [0] "Receiving money is free no matter what." However, the text "You can add other payment methods like credit and debit cards, and a 2.9% fee per transaction (minimum $0.30)" is still a bit unclear.

[0]: http://www.google.com/wallet/send-money/

Thanks for the feedback. I'll see if we can improve the wording at all.
Is that actually widely available? They announced it a long time ago but it has yet to ever show up in my gmail.
It's still in slow rollout stage. If you want to try it now, I'll send you a cent and it should be enabled for you. (You must be in the US, read the TOS, etc.)
(comment deleted)
Glad they changed it from 50 cents to free. Smart move.

They solve this problem with the least amount of friction.

What are they using to do the animations on the demo site?
Would this still work if someone used a fake email script?
This is my favorite type of product. Here's why:

- Take an existing known medium (in this case email) and makes it way more useful.

- They didn't try to build a bunch of new UI for connecting your Facebook so you can find and invite and pay your friends, paying out to your card, etc.

- It magically hides the messiness of an enormously complex problem (fraud, different types of debit cards & banks all over the world) behind a very simple interface.

- Unlike every other P2P payment system, I can actually sign up and receive money (or convince my friend to) using only what's in my pocket (debit card)... not hunting down ACH/wire details.

Looks like an excellent target for phishing attacks!
That was my first impression. I could rip the site, post it to my own domain, and start sending out emails saying "you've got cash, give me your credit card number so we can credit it" in about 10 minutes. Great concept, and I plan to use the service, but as it gains momentum and acceptance, it's going to be a great attack vector for the Nigerians.
All online business ever is a great attack vector for "Nigerians."
No kidding. That step 3 is a doozy:

>The recipient will be emailed a link to easily deposit their cash to their bank.

You have to wonder about the wisdom of training people to view such emails as legitimate.

They just got an email from you. Not so suss.
No, they just got an email from someone that happened to have my address in the `From` field.

Since we're in the realm of phishing already, let's not forget that people still commonly enter their email address and email password into sites claiming to "Find your friends who are using this service".

The problem with social attacks is that they spread socially, and it's not enough for just "some", or even "most" people to be educated for it to be stopped.

I don't think Square are ignorant about this, but I'd like to see some confirmation that some measures are in place to counter threats like these.

What also doesn't help is that sites like Facebook leak personal information like sieves. I've been receiving the spam e-mails claiming to be from various of my Facebook friends for some time.
In the happy case, yes. But, that doesn't consider how phishing works.

So, Square trains people that these e-mails are OK. In the happy case, you get the email from a friend, followed by a link/invitation from Square. Everything is fine.

After doing this several times, one day you just get the email that appears to be from Square, informing you that you have money. This is a phishing email and there is no email from a friend, which should raise a red flag, but for many it won't. Or they may just think Square changed the process. Putting the onus on the user to discern this is not a good plan.

Training users to click a link from an email that resulted from a process they didn't initiate, then enter personal/financial information or credentials is not a good idea.

That's a mail people have been receiving for 15+ years from PayPal.
So is PayPal and just about every other financial institution. Square has some nice safeguards in place here and considering they are going to be the ones paying for fraud abuse, you can be sure they'll be doing everything possible to prevent it.
They're obviously taking a loss on this (due to credit card fees) if the recipient gets the full amount sent. So this must be a loss-leader that's building up to something else where they expect to make a ton of money.

That "something" is most likely just "replacing cash and cards", but will be interesting to see how it plays out. It's a bold move regardless.

EDIT: I meant debit card transaction fees, not credit card fees.

Debit cards only. I'm sure the fees are significantly lower for debit vs. credit cards.
Yeah, true. But isn't it still in the neighborhood of 2%?
0.05% + 22¢ for debit cards.
That is an insane amount of money to be losing if/when this thing takes off. There must be more to the story.
I don't think so. Its a user acquisition cost. Instead of putting up Ads, they're offering a free service. Good tactic.
> I'm sure the fees are significantly lower for debit vs. credit cards.

This used to be the case, but in recent discussions with retail owners I've been told that the fees are now comparable.

In my Canadian city high-volume, low-price businesses such as independent fast food places take debit only since credit card charges would remove a good bit of their margin on a sale.
There is no fee over an ACH transfer.
I believe that Amazon Payments is the only system that lets you pay someone with a credit card, although it's limited to $1,000/month (otherwise people abuse it, sending cash to each other to rack up points on their credit cards).
What about PayPal?
I thought that there were now ways for payment processors to flag that a transaction is not supposed to earn points? (eg. balance transfers, cash withdrawals etc...)

Otherwise I could deposit $10,000 from my credit card into my on-line gambling wallet, then withdraw it, repeat...

I challenge you to find a website that will let you charge $10k into an online gambling account from a credit card. And any that do exist will charge fees higher than credit card rewards in most scenarios.

But yes, you also will not earn points on balance transfer transactions. But they typically are processed via ach.

You're right, I haven't tried to deposit more than about $1000.... however I could just do that over and over again.
With a credit card? Which site? To my knowledge this did not exist. Discount fees would cost them 2% at least.
The better example is the scam people had going for a while where you could buy $1 commemorative coins (e.g., http://en.wikipedia.org/wiki/Sacagawea_dollar ) from the US Treasury for $1.00, with free shipping (the mint made many more of them than the demand, and wanted to get rid of them). Some people bought $100k worth of coins on an Amex card and kept the miles (only problem with that is depositing a zillion coins with local banks). That's now been shut down if I'm not mistaken.
I believe Amazon Payments charges 2.9% + $0.30 per transaction, which would not make it an effective way to rack up reward points.
Square has had a system called Wallet for several years where if you enter a store using Square, and it detects your phone in the vicinity, you can "pay by name." You walk up to the register, say "I'm John Smith," and they tap your name on the Square register to check you out. No need to take your phone out of your pocket.

Perhaps this is just an attempt to backdoor people into becoming users of Square Wallet. Give away person-to-person transactions for free, get a massive user base for business-to-consumer transactions and charge the businesses for the use of your network.

This is one area where the US seems to be behind compared to the UK. I am from the UK and that service would look quite poor if it launched over here. We have a system called faster payments service that offers instant (although in some cases up to 2 hours) bank transfers for payments up to £100,000 (can differ between banks). You can use this directly if you share bank account numbers and sort codes but there are also wrappers around FPS like Barclays PingIt that people can register with and use your mobile number instead. There is no fee associated with these services.
The US equivalent is ACH, which has the major downside that using only the bank ID (routing number) and account number you can effectively wipe out the target's account. It's up to your bank (or whatever ACH proxy) to keep you from doing that, not to the interchange, both legally and technically. ACH also takes several days to work, and has a wide window for either bank to declare the transfer fraudulent, so many banks stretch the time out longer to account for that. Most stock brokers will credit your account long before the ACH transaction completes (with some restrictions of course).

There are also wrappers around this here like Chase's Quickpay or Ally's Popmoney but most require that both people use the same bank, or that you give your ACH details to a bank that isn't your own.

Paper cheques just have the routing/account numbers along the bottom, and AFAIK essentially work via ACH anyway, so they have all of the same downsides, plus taking longer to complete.

Also, the window for fraud with ACH is so great that when you tell one bank about another account's ACH details so that you can transfer money, they "authenticate" this by making small, sub-$1 deposit amounts, and asking you what the amounts were, to prove that you can see the target account. So this "linking" process takes the entire ACH transaction time as well the first time you do it. Some banks have taken to using a service called Yodlee which asks you for the target accounts' username and password. That's right, Wells Fargo asks for your username and password on Scottrade to authenticate the transfer because they don't trust the way ACH's liability lies. So this won't work to send $8 to your buddy anyway.

Moving money without a service like paypal/venmo/square/google wallet is really quite difficult, especially if you don't want to trust an organisation with a history of taking people's money (Paypal) or if you don't want to pay a transaction fee.

> ACH also takes several days to work, and has a wide window for either bank to declare the transfer fraudulent

Still some catching up to do with the UK/EU. Transfers within 15 minutes (99%) with fraud checking etc. is awesome.

> The US equivalent is ACH, which has the major downside that using only the bank ID (routing number) and account number you can effectively wipe out the target's account

Interesting. I had come to a similar conclusion myself. I noticed that in paying my school fees all I needed was those two numbers (banking routing #, bank acct #) for payment with no further verification. As you have observed all of these details are readily available on paper checks.

One way to mitigate the issue of someone potentially wiping your account is to have two accounts. One public and one private. The private one would contain (most of) your actual funds whilst the public account, which you would share freely as needed would contain just enough funds to complete whatever transactions that you need to do. Sure, it is not as convenient because you have to manage two accounts but at least that way you reduce your exposure to your funds being completely depleted.

I use checking and savings in this way. I think it's pretty common to do so that checking is a revolving fund and doesn't hold any significant money, but it's also common to just have all your money in the one account.

Anyway, good description of ACH above. Very few people understand how it works.

Are you serious? Why would _anyone_ design a system like this?

In Australia, the equivalent is EFT (Electronic Funds Transfer). You can deposit money to anyone's account by telling the bank their BSB (Bank/State/Branch number) and their account number; however this is not sufficient information to withdraw money.

To withdraw money: 1. at a physical bank branch: a. you put your credit/debit card in a POS terminal and enter your pin/sign to authenticate. b. provide yous credit/debit card and photo ID to the teller. 2. at an ATM: credit/debit card + pin number. 3. online banking: either the credit/debit card number and a password and often a pin as well, or a separate number and password.

All of these use an independent authentication source to the bank account number.

Also the delays quotes here are insane: In Australia, there are essentially 2 ways to pay for something (excluding cash): 1. EFT (Electronic Funds Transfer) 2. Credit card (possibly using a debit card) transaction.

On POS terminals, you can choose either; the differentiator being whether you want to use a savings account (EFT) which goes via your bank, or a credit (or savings account accessed via debit card) account, which goes via MasterCard/Visa.

All forms of EFT take 1-2 business days between banks, pretty much all the time; and they're universally free for the payer.

Credit/debit transactions seem to take 1 day universally.

We have a fairly stagnant banking system, with 4 major banks having basically the entire consumer market (and the vast majority of the nonconsumer market as well). Why, in a small, stagnant market like ours, do we fare much better than the US system?

[edit: I forgot to mention, checks are dead here, they're now almost only used for large transfers of money where: 1. you don't want to use EFT; 2. they're over the daily online maximum for EFT transfers, and you can't be bothered to go to a bank branch (although you can only get bank checks at a branch AFAIK); 3. You want an immediate guarantee that the ammount was paid and the date/time/payer/payee (as opposed to waiting 1 day for the payment to come through).]

> Are you serious? Why would _anyone_ design a system like this?

Because it's descended from writing simple letters of credit (and by this I literally mean a letter that says "Hey bank, pay John here $15 out of my account kthx"), and giant ancient heavily regulated institutions are terrified of change.

The system wasn't designed exactly, it just sort of evolved

Also, the US has a very weak culture of consumer protection and regulation; solutions that require co-operation between competing entities are much harder to get off the ground. See the ACA software mess.
and they're universally free for the payer.

Not quite. Vendors can now legally add a surcharge to cover the cost for payments from a credit card. Some vendors traditionally refused Amex when they had to eat the charge, since Amex was something like a 4-5% cost to the vendor as opposed to the 1-2% costs of the other cards.

Why, in a small, stagnant market like ours, do we fare much better than the US system?

We have strong banking regulations, apparently. I heard somewhere that during the GFC, there were only ten banks of that kind globally that hung on to their AAA credit rating, and all four of the Australian big banks were in that ten.

Credit card transactions do sometimes have fees attached; specifically I was referring to EFT, which for person-to-person has no fees at all, and doesn't attract fees to the payer at the POS (whereas credit cards can).

Yeah, the real question I was getting at was, given the Australian market is even more insular and stagnant than the US, why do we have much better systems?

What you're saying sounds plausible; a comparison of the US and Australian regulations on deposit banks would be interesting.

I never realised how good we had it comparatively in Australia. I always just thought that Eftpos was something that "just worked" and that everyone around the world had (or at least an equivalent). No fees, no credit, no monthly payments, no bullshit. Just a card that you use to pay for things out of your bank account.

No processing times too :)

Actually EFT does have fees. Typically between 10c - 25c / transaction.

They are minimal, but they are there.

Plus the fee for the terminal of course. Which varies significantly between banks in AU.

Sure; I could have been clearer here.

Specifically, you can do an EFT transfer from a bank account to any other bank account in Australia via online banking, and it's free (at least in all the times I've used it).

In the case of ETFPOS terminals, EFT is always free for the payer (the customer), and credit cards are usually free for the payer, but do sometimes have a fee for the payer (certainly AMEX and Diners).

As I've now been corrected on, both types of transaction have a fee for the payee (the merchant).

The fee for the terminal itself is definitely true - I was mainly thinking of fees in terms of payers, i.e. the customer, not the merchant.

Though given there are alternative methods for credit/debit payments (i.e. alternative terminal types, like the swipe thingy that plugs into iPhones) it'll be interesting to see if people keep the combined EFTPOS + credit/debit card terminals, or abandon the EFT side, as the number of non-debit bank/keycards dwindles.

We have strong banking regulations, apparently. I heard somewhere that during the GFC, there were only ten banks of that kind globally that hung on to their AAA credit rating, and all four of the Australian big banks were in that ten.

Our bank regulations are a joke (in the last few years, we just nationalized a fraudulent bank for €2.7 billion and re-sold it for €30 million), and yet we have a similar system, plus free virtual CCs, plus an award-winning ATM network that doesn't charge any fees for usage/withdraws.

> All forms of EFT take 1-2 business days between banks, > pretty much all the time; and they're universally free for > the payer.

Other people have already weighed in on the fact that actually not all of the payment systems are free for the payer (even EFT via a terminal costs).

But ask yourself, why does it take 1-2 business day for this to happen? In the UK, the worst case scenario is 2 hours between different banks. And if the account transfer is within the same bank, it is instant.

In AU, even between St. George accounts you can see delays of up to 1 day. Insane! Especially since the money isn't changing banks but accounts within the bank.

The AU transfer delay is bizarre.

Every bank I've been with (Commonwealth, ANZ and Bendigo) has instant transfers between accounts within the same bank.
Could just use bitcoin.
surprised to see that this is the only mention of XBT in this thread.

Seems to me like square cash is comparable to the extremely low friction nature of XBT to XBT transactions, but with fiat currency.

I'm not saying square did this in response to bitcoin, just that it's scratching the same (or a similar) itch.

Now, if only I could Square my BTC into somebody's fiat account without friction...
It's bad. One time I mistakenly reversed the source/destination when sending my roommate two months of rent money and I over drafted his account because it took the money without asking his permission.

Once the accounts are linked, either party can pull/push money without the other's approval.

Seriously? That's insane!
That sounds like whatever user interface allowed you to use the remote account as a source was equally to blame.
(comment deleted)
Having recently moved from the UK to the US, I was quite shocked at the state of US banking. In the UK we can transfer money for free, use many ATMs free (not just the bank's own), we get free chequebooks, and there are plenty of accounts with no monthly fees. My US bank has a whole list of charges, and it's not made up by higher interest rates.
Except your UK bank will rape you if you look at it the wrong way. That's how they make money without fees.
UK banks do the same, they just charge their fees to people who go overdrawn instead.

There's no such thing as "free banking" in the UK

As another person who has lived in both places, banking is a lot freer in the UK. Yes, UK banks charge overdraft fees - but so do US banks. Most US banks will charge you to send you replacement checkbooks; many will even charge you a monthly fee to maintain the account. There are notable exceptions, but they don't have mass market buy-in.
I moved to Canada (from UK) and similar situation. Monthly fees, X amount of transactions per month, fee to withdraw from other banks (although we had this in UK too for a few years), fee to pay someone else money whether in the same bank or not and even via the internet.

I tried to deposit a cheque into my landlords account and the bank teller would not accept it, had to be cash or bankers draft - I presume because they may have a limit on the number of transactions per month and anything over wold cost them additional money. I found it very bizarre.

Faster payments are so fast in some cases that, transferring between accounts with different banks, I see an update in the recipient window before the sending bank website has finished serving the confirmation page!
On one occasion I asked someone to transfer me money while I was queueing for an ATM. Hung up the call and took the money out. It's FAST!
Remembering people's bank account details is a nightmare though. I sometimes need to pay friends or family back for a meal or whatever, but going through the rigamarole of requesting their bank account details and then logging onto internet banking, going to the payment screen, putting their details in (making sure you don't mistype a digit in their bank account number) and then hoping you did everything OK is just a fundamentally broken UI.

The Barclay's "pingIt" system is a step in the right direction, I think all banks should adopt a similar system. Paypal "gifting" is a good alternative to this but not everyone has a paypal account

Both banks I've used recently (Natwest and Halifax, not that I can recommend either) keep a saved list of people you've paid in the past, so I only had to go through that dance once for each person I paid. For the people I paid most frequently it was very convenient, I could send them money in seconds using the Natwest Android app.
Ah - I was under the impression PingIt could be used by non-Barclays customers.

That said, NatWest's mobile app also allows this behaviour: I can send a contact a text with a link allowing them to deposit the amount specified: up to £250.

That's how it works in much of Europe. The US banking system sucks. I have clients in Germany. They pay me via credit card because bank transfers to US accounts are such a pain. If I had a German account they could pay me instantly without hassle. Even many of my US clients pay me by credit card because they'd otherwise have to mail me a check (yuck) or get some kind of 3rd party bank transfer service which they're not willing to do.
Seems to work amazingly although I'm a bit concerned about the security. A friend sent me $1. I get an email from square, link to website where I entered my debit #, expiry and postal. It deposited directly to my debit card (I didnt even know you could do that). The deposit already arrived!

"Checking Card Adjustment POS Pin (Credit) $1.00"

So I sent him $1 back (to: my friend, cc: cash@square.com, subject: $1). And it instantly sent it to him. I didn't have to verify my details or anything.

I'd feel a lot more comfortable if there was a security blog explaining how they are validating that I indeed sent the email and it wasn't simply spoofed.

Edit - I did this from Gmail which I presume authenticates all of the emails via dkim? I'm guessing this won't work as automatic for other providers?

Edit2 - Just attempted with another friend and had to verify manually. The automatic-authorization appears to only apply when it's between two previously validated parties.

Thank you for taking the time to try it out and for reporting the results back to HN.
Even if Gmail is the reason I hope they'll add an option to verify the transfer anyway. It looks like something that is easy to use other vulnerabilities to mount an attack.
There's a pretty straightforward SMS confirmation thing you can enable by logging in to your Square account. Tested and it seems to work well. Also note that the weekly transfer limit is $250 if you don't verify yourself, so the risk is somewhat limited.
Out of curiosity: Do you know whether the $1 is listed as "available funds"? Some (all?) banks list pending transactions like check deposits and include those funds in your account total, but then have a separate header for "available funds" that are actually usable to spend or move.
In my bank (Capital One 360, formerly ING Direct) the deposit is listed as cleared & available. The $1 I sent him back is in a pending status (and thus removed from my available balance)
The issue is also that people will just squat on compromised accounts and then nick funds as they appear. Low probability I suppose, and that's what they're betting on.
I just found a major limitation with this thing. It blocks payment from any prepaid Visa/Mastercard - even reloadable cards attached to virtual checking accounts that support ACH (payroll cards, Netspend, etc). That eliminates payments from a huge section of the population.

http://prntscr.com/1xm5le

Another issue: if you make a mistake on the initial email, and want to send a different amount, you're out of luck. When you send a corrected email from the same address and go to the payment page, it adds any previously unfinished transactions from your email to the amount being sent, with no way to cancel the mistaken one. So just never make a mistake, and never do a test transaction you don't intend to finish, or you'll be required to finish and pay for all of it when you finally do have the correct amount and want to send a transaction (which you can only send with a small subset of the debit cards in existence).

These payment companies are always introducing interesting new things and then they hobble them with basic oversights and fundamentally flawed policies. In the last hour I've gone from excitement to disappointment with this service. It had promise based on the description, but this particular service (probably not Square itself) will fail very quickly.

Sounds like this is probably more of a security feature. Prepaid cards are harder to track, and would be more suspect to fraud.
You know what's at least as hard to track and prone to fraud? Actual cash. I really dislike the idea that e.g. children shouldn't be able to pay for things over the internet because their identity can't be verified. Let's see some more support for prepaid cards.
Actual cash is nearly impossible to fraud/counterfeit.

Are you a parent? I do not have want to my kid buying products unfettered.

I hate to break this to you, but they can already buy things in physical stores.

And if you legitimately have a $20 bill, I can walk into a store, represent that it's mine, and buy things with it, never encountering an obstacle along the way. That's the same fraud you're worried about in prepaid cards.

I also wish the limitations would disappear, but there are two reasons keeping them in place:

1) Government wants to ensure it can track all digital transfers (many pre-paid cards require activating with SSN)

2) Failing to approve certain transactions is the equivalent of a financial firewall because banks and payment processors know they haven't hardened their servers enough to prevent another one of these: http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-...

Now, if policy-makers were convinced the online-children-purchases market were bigger than the drive-by-ATM fraud, we would see the rules changed tomorrow.

Of course they can, but as a parent, I find it easier to supervise their store purchases than their online purchases, because they have to physically go there, and I can notice it.
Frankly, if you're that interested in tracking what your children have and haven't bought, online purchases are likely to be easier, in that they come to your home through the mail.

The general categories of things that children are commonly restricted from buying:

- Drugs. These are all black market, so availability of prepaid cards is unlikely to change how they're bought.

- Alcohol. I've never tried to buy this online; I know eBay Now wanted to sell it and concluded that the cost of legal compliance was too high. Even assuming they could find mail-order booze, it would arrive in the mail, easily detectible.

- Pornography. This can be consumed directly on the computer, raising possible detection issues. However, if you're afraid of children buying it over the internet, I've got some very bad news for you...

- Birth control pills? I'm running out of ideas.

Are you afraid they'll buy digital goods? Why?

> in that they come to your home through the mail.

Says who? Who says they couldn't send a package to a friends house, or a workplace?

If they have a workplace, all hope is lost.

How would you react to receiving a package in the mail for your son's friend?

Oh I know how I would react, but that doesn't mean every parent would react that way.
> - Birth control pills?

Exactly the kind of thing teenagers should be able to buy without their parents' consent.

You won't find me disagreeing with that, but the fact is birth control pills are controlled.
you need a prescription from a doctor to buy that ;)
Are pre-paid cards the only option for children in the states? I'm in the UK and I've had a debit card (attached to a bank account) since I was a young teenager.
I had a checking account under my Dad with a debit card when I was a minor. When I turned 18, I just called them, and they made it my current checking account. I'm not sure what the difference was.
It also doesn't work with pure ATM cards that lack a Visa/Mastercard logo. Maybe I am a bit over-paranoid, but I don't like the idea of staring at a zero bank balance while some fraud department promises to fix things up real quick now if I just stay on hold.
If you don't trust your bank to fix fraud, than you need a better bank.
I actually laughed at that. Every bank here is the same and we supposedly have some of the safest banks in the world. Im limited to an 8 character password, and the other banks here are little better. New Zealand.
(comment deleted)
It's safe in NZ because even with access to your internet banking, a thief can only transfer money to another NZ account and they're fairly reliable at verifying the identities of account holders.
Really? I've been impressed with Kiwibank's balancing security and usability. Rabobank NZ have two factor authentication too.

Of course if you're with one of the four majors, well... they're owned by Australians, what did you expect?

Which bank are you with? Having had accounts with 4 major banks here (Kiwibank, ANZ, Westpac, ASB), I can confirm that you are allowed passwords more than 8 characters. Also, several of them offer a second protection level for logging in.
ASB. How did you get a long password? It just deleted the characters at the end when I tried (6 months ago).
> with no way to cancel the mistaken one.

I see a "cancel" link in the email Square Cash sends me.

I did notice that there is a cancel link in the original email - a very small link at the bottom - but they should make it possible to remove any of the transactions it tries to compile together on the sending screen. Having to go back, find the email, and hit the cancel link after you realize that they are including transactions that you had no intention of completing isn't exactly intuitive. There is also nothing anywhere that says that this is the procedure required.
" and hit the cancel link after you realize that they are including transactions that you had no intention of completing"

Why are you starting transactions you don't intend on completing anyway? I haven't tried it, but from what I've read so far the workflow seems perfectly reasonable for the vast majority of transactions. It's not like when I pay a friend the 10$ back he fronted me last week in the bar when I forgot my wallet, that I give it to another friend first and say 'hold on to this for a bit while I ponder whether to actually go through with this 'transaction''.

I didn't even bother trying. I knew it wouldn't do what it said because I'm not in America. I've sent cash to other countries before but this isn't cash so it can't possibly work. IT would be nice if they clearly listed who can't use it to save people's time.
Just a note, for most countries, the best non-cash way to send money is an international wire transfer (sometimes called a telegraphic transfer). This is _not_ western union. which is ludicrously expensive, it's done bank to bank.
Every international wire transfer I've seen offered by my banks has costs at least $15 - $25.

Here in NL, its so much each to use send someone money: They tell you their IBAN, you grab your Random Reader and enter you pin and get a secure code to authorize the payment, and it's done. There's not even a market for companies like Square, since the banking system is designed to handle these typical situations. People here look at me like I'm crazy when I say that if I want to give someone money I either have to use PayPal/Square or just cash.

>> I just found a major limitation with this thing. It blocks payment from any prepaid Visa/Mastercard - even reloadable cards attached to virtual checking accounts that support ACH (payroll cards, Netspend, etc). That eliminates payments from a huge section of the population.

.. Aaand it's not an accident either.

Is that to meet the money laundering/auditing requirements?
>" It blocks payment from any prepaid Visa/Mastercard - even reloadable cards"

This is to prevent money laundering and tax fraud.

Email verification would be done with SPF and DKIM. I would sure hope that this is required!
(comment deleted)
You mean email account, and not address, right?

Prevention is less important than detection and reversal before withdrawal, which Square and other payment methods companies are pros at.

(comment deleted)
What are the verification steps for sending money to a previously unknown party? Is it SMS verification, or do you have to re-enter your card details?
So one day you get an email that you got $100 and all you need to do as a recipient is to click on a link and enter your full credit card details? Sounds like a phishing paradise.
Not even a credit card - a debit card!

In the US at least, these are not covered by the $50 limitation on losses on unauthorized transactions. In practice the banks often honor that anyway, but AFAIK they don't have to.

In this case however, it appears the bank could argue that when you got phished, you gave access to a third party.

Wow. I would never do this. It's a good practice never to use a debit card online, and it's unclear to me whether the service here offers any enforeceable assurances to participants.

I'd risk a debit card on this technology only if there was a small amount in the account and no overdraft capability.
> The automatic-authorization appears to only apply when it's between two previously validated parties.

This doesn't feel quite right, as you describe it you'd validated that it's ok to receive money from them, not send it. I'd be more comfortable if it was validated in some way when you first send something to a person. Receiving money doesn't mean I trust a person.

I could send you a dollar, and when you accept it I could fake an email back giving me 100. I hope this only happens with signed emails.

About DKIM, does it stop someone from repeating an email? Could I fake an identical email that has been sent before? If so, that's something that normally wouldn't be an issue (duplicate emails aren't really a problem, you can't inject any information, change links to dodgy sites) but would be huge for sending money.

EDIT - from the DKIM site

> DKIM does not protect against re-sending (replay of) a message that already has a valid signature; therefore a transit intermediary or a recipient can re-post the message in such a way that the signature would remain valid, although the new recipient(s) would not have been specified by the originator.

EDIT2 - Squares security page is brief and, well, sounds odd

> detects suspicious behavior in real-time, and in many instances, even before it happens.

How do you detect behaviour before it happens? Isn't that inherently impossible?

You bring up an excellent point about simply replaying the same message. I'm curious what mechanisms are in place to prevent that.

And yes, the exchange was B -> A which gave automatic authorization for an A -> B transmission, which I do agree is a bit presumptuous on their part.

> How do you detect behaviour before it happens?

Didn't Minority Report answer that question?

You're right, DKIM doesn't sign the message-id, which is the obvious de-duplication mechanism. What a half-arsed oversight.
It looks like how it lets you claim your money without your bank account details is by processing a refund. Don't know how they did it, but it's very cool.
I agree that security could and should be a huge concern. With your credit card you're protected from fraudulent transactions. But this is not the case with ATM. If someone gets a hold of your ATM + PIN, you're just plain out of luck.

Not sure how that translates to this service, but if something is compromised, you might just end up with an empty bank account.

I posted up a detailed screen flow of the entire process on my own site if anyone is interested:

http://blog.charleyma.com/square-cash-initial-thoughts-scree...

Overall though, extremely impressed with Square's offering and it was also instantly debited to my account. Curious to see if the value increases to a somewhat significant amount if this "instant transfer" translates into 1-2 business days.

This is almost exactly the same system as Interac in Canada. Will work well until the fraudsters figure out they can steal with it then limits will happen. Wonder what the merchant fees are and if they seize accounts for receiving an arbitrary amount of payments
There are no fees by the looks of it; it's completely free.
No it isn't, somebody is paying something to someone. Square is just not charging the people who exchange money... yet.
That's like saying Facebook isn't charging people yet.

There are monetization strategies which don't involve charging the end user anything for the service provided.

I agree. Security is definitely a major concern for me. Still a cool concept though
Aren't emails sent in plaintext? What are the security and privacy implications of using this service?
Since it's based on email, the same as email. You can encrypt the body but not (most of) the headers. So yes, there's a privacy concern there.
I've had a debit gift card for 10 months with $35 on it. Just used this to send that money to myself. Awesome.

Amazing what you can do with a card number and expiration date. Don't loose your debit cards!

The security here is very very questionable. It is non-existent and that worries me.
I'm completely taken back by the simplicity of this + that it's free. So many times have I paid a contractor via PayPal as a "friend" to reduce PayPal's fees.

Moreover, why hasn't a bank or credit card company done something like this yet? Amazing how the solution disappears into a cc: address line and unique link in your email.