Square card reader vulnerable to hack attack

Written by
Melissa Rudy
Terms apply; see the online credit card application for full terms and conditions of offers and rewards.

Researchers at Aperture Labs, a security research firm in the UK, have demonstrated two ways to hack the Square payment system to use credit cards fraudulently, security holes they say could streamline cybercrime despite Square’s assurances that they monitor all transactions for fraud.

Square is one of the latest credit card payment processing systems for iOS devices and smartphones. With the Square application and its external square-shaped scanning tool, a merchant can turn any iPad, iPhone or Android phone into a credit card reader.

It’s a fast, easy and versatile system–but it has notable security flaws that Aperture researchers say could have been prevented with simple encryption.

Hack 1: Enter a stolen credit card number, no card needed

The danger isn’t in scanning a card to make a purchase, which is completely safe. The problem is the way that the Square tool transmits card information, making it easy for fraudsters to enter any credit card number and fake a purchase, effectively stealing money straight off a credit card and putting it in a bank account.

Because the magnetic stripe information on a credit card is converted into an audio file and transmitted via ordinary stereo cable to a laptop, any card number can be entered and authenticated the same way.

Hack 2: Skimming with the Square

The second vulnerability is that Square reads credit card data without encrypting it. This allows an unscrupulous merchant to use the Square to skim the number from a credit card at point of sale.

Despite the number of electronic credit card tools and smartphone apps currently being rolled out, there is no completely risk-free way to upload and transmit card data entirely electronically with no user involvement such as a PIN.

Square updates its product

What could Square have done differently to prevent this hack? For a start, say Aperture experts, they could have added some form of encryption. If credit card numbers were encrypted before being transmitted as an audio file, this type of fraud would be much more difficult – perhaps even impossible.

To address this, Square now incorporates encryption into its outboard tool, called a dongle. Squares with encryption are colored black instead of the original white. However, researchers say, this does not entirely eliminate the risk of fraud because the software itself does not require encrypted data.

Featured Partner Cards:


The information in this article is believed to be accurate as of the date it was written. Please keep in mind that credit card offers change frequently. Therefore, we cannot guarantee the accuracy of the information in this article. Reasonable efforts are made to maintain accurate information. See the online credit card application for full terms and conditions on offers and rewards. Please verify all terms and conditions of any credit card prior to applying.

This content is not provided by any company mentioned in this article. Any opinions, analyses, reviews or recommendations expressed here are those of the author’s alone, and have not been reviewed, approved or otherwise endorsed by any such company. CardRatings.com does not review every company or every offer available on the market.