The researchers, U.K.-based Aperture Labs directors Adam Laurie and Zac Franken, revealed two different methods for committing credit card fraud using Square. The first method transfers money from a stolen card into a bank account associated with Square without having to swipe it through Square’s card reader accessory.
[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":316689,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,mobile,security,","session":"D"}']It’s done using code written by Laurie that allows a person to feed magnetic stripe data from a credit card into a microphone and convert it into a sound file. Using a stereo cable, the audio file is played through the Square device, which transmits the credit card data directly into Square’s application.
The hack means that thieves can obtain credit card data and make transactions without having to clone the card, use a PIN number or go to a physical location.
AI Weekly
The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.
Included with VentureBeat Insider and VentureBeat VIP memberships.
The second method uses the Square card reader dongle to clone credit cards by grabbing the magnetic strip data and converting it into audio. Then, using the same code written by Aperture’s Laurie, the audio is translated into credit card information. This is possible because Square’s card reader dongle doesn’t use encryption or authentication.
“The (Square) dongle is a skimmer. It turns any iPhone into a skimmer. Now you need less technical hardware to (commit credit card fraud) and no technical skills at all,” Laurie said during a press conference where he and Franken demonstrated the hack using Visa gift cards. “This lowers the bar” for credit card fraud, he added.
Square could not immediately be reached for comment about the potential credit card fraud risks associated with its card reader dongle.
Update: A Square spokesperson responded with the following statement:
This was not a vulnerability, but rather a simulated attempt to commit fraud. Like all credit card processors, we aggressively guard against fraud (such as the use of stolen credit cards)–and we use traffic analysis and other patented methods to detect and prevent malicious activity.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More