Tom Mollerus' Weblog

This morning there was a message in my inbox from TripAdvisor with the subject of "An important message from our CEO". I was expecting that perhaps they were announcing that they had been acquired, but instead the message explain in plain words that some portion of TripAdvisor's email list had been stolen. This message, delivered with honesty and contrition, is an example to all companies about how to share news that your members' data has been stolen: do it, because it's your obligation and because it's what you'd want someone else to do for you. This great missive follows.

To our travel community:

This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of the vulnerability and shut it down. We're taking this incident very seriously and are actively pursuing the matter with law enforcement.

How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it's the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously. I'd also like to reassure you that TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list.

We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.

Steve Kaufer
Co-founder and CEO

To Mr. Jack Dorsey of Square, Inc., and to Mr. Doug Bergeron of Verifone, Inc.:

Mr. Dorsey, you've made a good point that credit card transactions rely on trust between the purchaser and the seller. Your Square card reader is just as reliant on the good behavior of its user as is any other credit card reader at a restaurant or retail store. And of course, all cards are backed by industry protection. But I don't think that trust in people is what Verifone is pointing out. They're pointing out that you need trust in devices. Now, if a person accepting credit cards pretends to run a transaction through Square but instead runs it through another app, like the proof-of-concept app from Verifone that steals credit card numbers, you've got a security problem with the person, not their device. But what if the person is trustworthy and well-meaning, but the software on their device is not? What if the seller uses Square to swipe a card but another piece of software is listening in on the transaction? That's the real security hole that Verifone's letter brings to mind for me. It sounds just like an instance of a voting machine being hacked to affect election results-- both human parties (voter and local precinct) are honest, but the party listening in is not. People blame the voting machine companies for their software's insecurity, and they'll blame Square if ever another piece of software listens in on an unencrypted credit card swipe. Verifone has a valid point that the security of your device could be reasonably improved, and you should inform your customers of the flaw and ship out new, encrypted readers. Square and its customers will profit from it.

Mr. Bergeron, I appreciate your passion for your company and for credit card security. You have a valid point that Square's unencrypted swipe device could provide better security than it does now. But honestly, do you think you've helped your company by publicizing it in this manner? You've tried to make Square look bad, and you made yourselves look bad as well. Did you really need to make a publicly downloadable app to show that Square's reader wasn't encrypting data? Did you really need to create a new website devoted to the issue? Both moves are unnecessary and unprofessional, and both betray your real motive of simply trying to blacken the reputation of a competitor. And, by publicizing a flaw you may have even helped criminals get more credit card numbers. Next time, inform all parties of a flaw more responsibly and we'll really believe that you're doing it because you "take security very seriously."

Sincerely yours,
Tom Mollerus