Square Cash lets you send money to anyone at any time just by sending an e-mail

Shawn Knight

Posts: 15,240   +192
Staff member

PayPal is currently the leading digital payments provider but that could all change in the near future. Mobile payments company Square has launched a new service that allows anyone with a debit card to send cash to anyone else at any time just by sending an e-mail.

The service has been in beta since May but is finally ready for prime time. Using Square Cash sounds easy enough – just address an e-mail to the person you want to pay, add a CC: to cash@square.com and put the amount you want to send in the subject line. The body of the message can contain any text you want such as a memo regarding the transaction for your records or just a friendly "hello."

square cash paypal email money

First-time users will receive an e-mail from Square asking them to visit the Square Cash website to enter in their debit card number. This only happens once, we’re told, and when funds are delivered, they are sent directly to your bank account instead of an online account like PayPal.

The service is free of charge (no hidden fees) and the money is deposited into the destination account within 1-2 business days (PayPal can take upwards of 3-4 days to transfer money). Neither person in the transaction is required to have a Square account and you can send up to $2,500 per week. Square did say that if they add new features in the future, they might introduce a fee.

Permalink to story.

 
This seems ripe for fraud. What's to stop me from grabbing your phone and sending me or someone else $2500? There is absolutely no proof the transfer was not legit and it was done with zero authentication over the internet with no security or encryption. It's already easy enough to spoof someone's email so message can appear to be from anybody you'd like.

What am I missing?
 
Actually, none of those security features would prevent the type of fraud that TomSEA described. They all rely on the mobile phone, either for 2-factor authentication or SMS warnings. I'd also add that it's not terribly difficult to spoof an email address, so hopefully they will be checking headers.
 
What guest said.

They only claim to protect the web session that you used to originally enter the debit card information into their system. Other than that they encourage you set up the most complex login with your email provider that they support. Nobody is going to do that (or even know what method of authenticating is even the most secure)

Beyond that, they simply look for fraud after the fact. Credit card companies use extensive fraud monitoring because legally they are on the hook for the fraud. Debit cards are not the same as credit cards and we might be the one liable. "When we notice suspicious activity, we alert you and prevent further payments from being sent." No mention of refunding the amount of the original fraud, just notification so future fraud can be stopped.

This company is basing their product strictly on convenience, but at a price of a serious lack of security. Not for me thanks, unless they come up with something better than this.
 
This seems ripe for fraud. What's to stop me from grabbing your phone and sending me or someone else $2500? There is absolutely no proof the transfer was not legit and it was done with zero authentication over the internet with no security or encryption. It's already easy enough to spoof someone's email so message can appear to be from anybody you'd like.

What am I missing?
Yeah. As nice as this is, I wouldnt trust it.
 
Cool idea, but this is a new company, they may soon introduce a fee, and most likely raise it in regular intervals until customers start freaking out.

I'll stick with email money transfers via my bank. Cost: $1.50. Wait time: 30-45mins.
 
I agree with Tom and guest. This needs more security features. I think they need to require creating an account, and with that account users should be able to create a master password/key phrase. Once the email for cash transfer has been sent, SquareCash system could send a txt message to the users phone number asking them to reply with their password/keyphrase. Only then will the transfer will actually complete successfully.

I know this is far from perfect. It introduces an additional step for the users, plus introduces more issues like taking care of Data at rest, and the txt message isn't encrypted. BUT from a basic user perspective at least, I feel this is a bit better.
 
Back