Researchers reveal two security gaps in Square mobile credit card reader

by Phil Hornshaw

Two software security researchers explained last week at the Black Hat security conference in Las Vegas two ways they’ve discovered that mobile credit card payment service Square can be used for credit card fraud.

Square (also on Android) provides mobile payments by allowing users to purchase a small credit card reader to plug into their iPhones, iPads, iPod Touches or Android mobile devices, turning those devices basically into a credit card reader in order to process point-of-sale transactions. The technology allows for anyone to become a credit card-accepting merchant instantly.

But two researchers from Aperture Labs, Adam Laurie and Zac Franken, have discovered an easy exploit to fool the Square device into doing things it shouldn’t, according to a story from CNET. Using a piece of software written by Laurie, the pair were able to use the Square device to transfer money from credit cards to a bank account without ever having the physical card in-hand – something that shouldn’t be possible with the Square device. It would be easy enough to duplicate with stolen credit card numbers, the pair said.

The software converts credit card information stored on the magnetic stripe of the card into a sound file. By plugging the Square device into the audio input on a mobile device, the pair were able to feed the sound information into the Square reader and basically fool it into thinking it had just swiped a card. From there, it was easy enough to send money from the card wherever they wanted.

The Square device could also be fairly easily turned into a credit card “skimmer” by the same process. A skimmer is a device that gathers credit card information during an otherwise legitimate transaction. Skimming often occurs at places such as restaurants, where an employee might be able to take a credit card out of the immediate view of its owner for the transaction. While that’s happening, the card can be swiped into a skimmer and its information saved without the owner ever knowing.

Laurie and Franken were able to reverse the process with the Square device and capture the sound output version of the data, then convert it back into credit card numbers readable by humans using the software they created.

The exploit sounds pretty dangerous, according to the two researchers: “‘The dongle is a skimmer. It turns any iPhone into a skimmer,’ Laurie said. To clone a card, ‘now you need less technical hardware to do it and not technical skills at all.’” While skimming devices are available online they’re harder to come by and specialized, CNET reports. Meanwhile, anybody with a smartphone and a Square dongle can skim credit card numbers while it looks like they’re performing a legitimate transaction.

CNET said Square hasn’t returned its request for comment. Here’s a quote from the story:

Laurie said the researchers figured these fraud methods out in February and reported them to representatives at Square. But Square didn’t see it as a significant threat, saying that there are easier ways to commit credit card fraud and that they can detect fraud through traffic analysis and other methods, Laurie said.

Other measures, such as anti-fraud bank regulations in the U.S., also limit the potential of the threat, but there are ways around them as well. As Square apparently pointed out, there may be easier ways to commit credit card fraud, but with everything in the mobile sphere, it seems there may be more forward momentum in the sphere than there is time to find potential security holes. Square announced last month that it processes $3 million in mobile payments daily, and there are 500,000 of its card-reader dongles out in the world. While it may not see Laurie and Franken’s discovery as a serious threat, that’s a lot of money and a lot of dongles floating around in the mobile sphere.