Yikes: Square hack lowers the bar for credit card fraud

A demonstration by researchers at the Black Hat security conference Thursday revealed that Square‘s mobile payment system, which turns smartphones and tablets into physical point-of-sale credit card processing terminals, can be used for credit card fraud, reports CNET.

The researchers, U.K.-based Aperture Labs directors Adam Laurie and Zac Franken,  revealed two different methods for committing credit card fraud using Square. The first method transfers money from a stolen card into a bank account associated with Square without having to swipe it through Square’s card reader accessory.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":316689,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,mobile,security,","session":"D"}']

It’s done using code written by Laurie that allows a person to feed magnetic stripe data from a credit card into a microphone and convert it into a sound file. Using a stereo cable, the audio file is played through the Square device, which transmits the credit card data directly into Square’s application.

The hack means that thieves can obtain credit card data and make transactions without having to clone the card, use a PIN number or go to a physical location.

The second method uses the Square card reader dongle to clone credit cards by grabbing the magnetic strip data and converting it into audio. Then, using the same code written by Aperture’s Laurie, the audio is translated into credit card information. This is possible because Square’s card reader dongle doesn’t use encryption or authentication.

“The (Square) dongle is a skimmer. It turns any iPhone into a skimmer. Now you need less technical hardware to (commit credit card fraud) and no technical skills at all,” Laurie said during a press conference where he and Franken demonstrated the hack using Visa gift cards. “This lowers the bar” for credit card fraud, he added.

Square could not immediately be reached for comment about the potential credit card fraud risks associated with its card reader dongle.

Update: A Square spokesperson responded with the following statement:

This was not a vulnerability, but rather a simulated attempt to commit fraud. Like all credit card processors, we aggressively guard against fraud (such as the use of stolen credit cards)–and we use traffic analysis and other patented methods to detect and prevent malicious activity.