Square card reader vulnerable to hack attack
August 9, 2011
By: Melissa Rudy
Researchers at Aperture Labs, a security research firm in the UK, have demonstrated two ways to hack the Square payment system to use credit cards fraudulently, security holes they say could streamline cybercrime despite Square's assurances that they monitor all transactions for fraud.
Square is one of the latest credit card payment processing systems for iOS devices and smartphones. With the Square application and its external square-shaped scanning tool, a merchant can turn any iPad, iPhone or Android phone into a credit card reader.
It's a fast, easy and versatile system--but it has notable security flaws that Aperture researchers say could have been prevented with simple encryption.
Hack 1: Enter a stolen credit card number, no card needed
The danger isn't in scanning a card to make a purchase, which is completely safe. The problem is the way that the Square tool transmits card information, making it easy for fraudsters to enter any credit card number and fake a purchase, effectively stealing money straight off a credit card and putting it in a bank account.
Because the magnetic stripe information on a credit card is converted into an audio file and transmitted via ordinary stereo cable to a laptop, any card number can be entered and authenticated the same way.
Hack 2: Skimming with the Square
The second vulnerability is that Square reads credit card data without encrypting it. This allows an unscrupulous merchant to use the Square to skim the number from a credit card at point of sale.
Despite the number of electronic credit card tools and smartphone apps currently being rolled out, there is no completely risk-free way to upload and transmit card data entirely electronically with no user involvement such as a PIN.
Square updates its product
What could Square have done differently to prevent this hack? For a start, say Aperture experts, they could have added some form of encryption. If credit card numbers were encrypted before being transmitted as an audio file, this type of fraud would be much more difficult - perhaps even impossible.
To address this, Square now incorporates encryption into its outboard tool, called a dongle. Squares with encryption are colored black instead of the original white. However, researchers say, this does not entirely eliminate the risk of fraud because the software itself does not require encrypted data.