Square card reader vulnerable to hack attack

By , CardRatings Contributor

Our credit card articles, reviews and ratings maintain strict editorial integrity; however we may be compensated when you click on or are approved for offers (terms apply) from our partners. How we make money.

credit card fraud

Researchers at Aperture Labs, a security research firm in the UK, have demonstrated two ways to hack the Square payment system to use credit cards fraudulently, security holes they say could streamline cybercrime despite Square's assurances that they monitor all transactions for fraud.

Square is one of the latest credit card payment processing systems for iOS devices and smartphones. With the Square application and its external square-shaped scanning tool, a merchant can turn any iPad, iPhone or Android phone into a credit card reader.

It's a fast, easy and versatile system--but it has notable security flaws that Aperture researchers say could have been prevented with simple encryption.

Hack 1: Enter a stolen credit card number, no card needed

The danger isn't in scanning a card to make a purchase, which is completely safe. The problem is the way that the Square tool transmits card information, making it easy for fraudsters to enter any credit card number and fake a purchase, effectively stealing money straight off a credit card and putting it in a bank account.

Because the magnetic stripe information on a credit card is converted into an audio file and transmitted via ordinary stereo cable to a laptop, any card number can be entered and authenticated the same way.

Hack 2: Skimming with the Square

The second vulnerability is that Square reads credit card data without encrypting it. This allows an unscrupulous merchant to use the Square to skim the number from a credit card at point of sale.

Despite the number of electronic credit card tools and smartphone apps currently being rolled out, there is no completely risk-free way to upload and transmit card data entirely electronically with no user involvement such as a PIN.

Square updates its product

What could Square have done differently to prevent this hack? For a start, say Aperture experts, they could have added some form of encryption. If credit card numbers were encrypted before being transmitted as an audio file, this type of fraud would be much more difficult - perhaps even impossible.

To address this, Square now incorporates encryption into its outboard tool, called a dongle. Squares with encryption are colored black instead of the original white. However, researchers say, this does not entirely eliminate the risk of fraud because the software itself does not require encrypted data.



Be the first to comment!

Start Here

Search. Compare. Apply.

Featured Partner Cards

  How is your credit?
Oops! Your credit does not qualify you for this card. Applying and being rejected for this card could possibly hurt your credit
We are redirecting you to offers you are qualified for based on your credit.
CardRatings is excited to announce the launch of the
100% Free CardRatings Email Course to Learn How to Maximize Travel Rewards.

Created in partnership with ChooseFI

We partnered with ChooseFI to combine CardRatings’ offer expertise with ChooseFI’s tried and true travel rewards strategies. Get to know ChooseFI: they have changed tens of thousands of lives and recently won Podcast of the Year at FinCon.
You may think you are a rewards travel expert, but rewards strategies are changing (e.g., the days of card churning and manufactured spending are numbered). Learn powerful, sustainable strategies (a couple of which even you die-hard travel experts might not know). You'll be so glad you did.
We're planning more courses for the future; this is just the beginning of our journey.