Square card reader vulnerable to hack attack

By , CardRatings contributor
  • Google +
  • Twitter
  • Facebook
credit card fraud

Researchers at Aperture Labs, a security research firm in the UK, have demonstrated two ways to hack the Square payment system to use credit cards fraudulently, security holes they say could streamline cybercrime despite Square's assurances that they monitor all transactions for fraud.

Square is one of the latest credit card payment processing systems for iOS devices and smartphones. With the Square application and its external square-shaped scanning tool, a merchant can turn any iPad, iPhone or Android phone into a credit card reader.

It's a fast, easy and versatile system--but it has notable security flaws that Aperture researchers say could have been prevented with simple encryption.

Hack 1: Enter a stolen credit card number, no card needed

The danger isn't in scanning a card to make a purchase, which is completely safe. The problem is the way that the Square tool transmits card information, making it easy for fraudsters to enter any credit card number and fake a purchase, effectively stealing money straight off a credit card and putting it in a bank account.

Because the magnetic stripe information on a credit card is converted into an audio file and transmitted via ordinary stereo cable to a laptop, any card number can be entered and authenticated the same way.

Hack 2: Skimming with the Square

The second vulnerability is that Square reads credit card data without encrypting it. This allows an unscrupulous merchant to use the Square to skim the number from a credit card at point of sale.

Despite the number of electronic credit card tools and smartphone apps currently being rolled out, there is no completely risk-free way to upload and transmit card data entirely electronically with no user involvement such as a PIN.

Square updates its product

What could Square have done differently to prevent this hack? For a start, say Aperture experts, they could have added some form of encryption. If credit card numbers were encrypted before being transmitted as an audio file, this type of fraud would be much more difficult - perhaps even impossible.

To address this, Square now incorporates encryption into its outboard tool, called a dongle. Squares with encryption are colored black instead of the original white. However, researchers say, this does not entirely eliminate the risk of fraud because the software itself does not require encrypted data.


0 Responses to "Square card reader vulnerable to hack attack"

No Comments

Leave a Comment
About Our Ratings ×

Our editors rate credit cards objectively based on the features the credit card offers consumers, the fees and interest rates, and how a credit card compares with other cards in its category. Ratings vary by category, and the same card may receive a certain number of stars in one category and a higher or lower number in another.

The ratings are the expert opinion of our editors, and not influenced by any remuneration this site may receive from card issuers.

Advertisers in our database are highlighted, and advertisements include an option to apply using links on our site. CardRatings.com may be compensated by companies mentioned on the site when a user's application is accepted or approved by such companies.

How do your cards stack up?

Compare your card starting here


Featured Partner Cards