Hack turns Square into criminal tool

Aug 05, 2011 by Glenn Chapman
Mobile payment service Square markets a pocket-sized credit card reader to allow on the spot credit card payments
Hackers have shown how to turn the mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Adam Laurie and Zac Franken of computer security firm Aperture Labs used a homemade software program and an easily bought iPad audio wire to trick Square in a way that could be a bonanza for crooks.

Laurie could type into his laptop, which converts to sound data sent to Square, where the transaction registers as if a real card were swiped in a dongle.

"Traditionally, the way you make money from stolen credit cards is sell the data to someone else or buy goods on it, then resell the goods and get the cash," Laurie said while demonstrating the hack at a Black Hat computer security gathering in Las Vegas.

"This really takes the hassle out of it... I can put the money right in the account and it only costs me 2.75 percent."

The percentage he cited was the fee charged by Square, which was co-founded by Jack Dorsey, a Silicon Valley star who helped create popular micro-blogging service Twitter.

Square markets a pocket-sized that can be plugged into a smartphone to allow anyone to accept credit or debit card payments on the spot.

Franken and Laurie, whose hacker name is "Major Malfunction," said that they were waiting for a flight at an airport when then figured out how to convert Square into a handy tool for cashing in on stolen credit cards.

Laurie realized that the Square "dongle" used to swipe credit cards plugged into an iPad audio jack, indicating that the small device essentially converted magnetic stripe data to sound then interpreted by the service's software.

He quickly modified software he wrote five years earlier for reading and replicating magnetic stripe data.

Franken and Laurie strolled to an airport shop and bought a wire to plug his laptop into the jack where the dongle would have gone.

"Credit card data is getting skimmed all the time," Laurie said, holding up a pre-paid credit card he used for the demonstration. "Instead of buying this I could have bought it on the Internet from a criminal gang."

Funds are dumped into an individual's Square account to be removed before anyone catches on, according to the hackers.

"You'd have to set up dodgy accounts that don't trace back to you," Laurie said. "But, that is standard practice."

Laurie and Franken said that they shared their findings with Square in February only to be told that it wasn't seen as a threat and that traffic analysis would expose those kinds of transactions.

The hackers had also heard unconfirmed reports that Square planned to release new dongles that encrypt transaction data.

"Encryption would be a good thing," Franken said. "The way it is at the moment a cable between two devices and you can inject credit card numbers right into the system," he continued.

Since promises to have money from transactions in accounts within a day, money milked from stolen data could be made off with quickly provided amounts were extreme enough to be noticed, Franken said.

Explore further: Twitter blocks two accounts on its Turkish network

add to favorites email to friend print save as pdf

Related Stories

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Swipe Your Credit Card on a Cell Phone

Dec 07, 2009

(PhysOrg.com) -- With a small card reader that attaches to a cell phone, a new company is making it easier for small businesses and even individuals to accept credit card payments. The San Francisco start-up, ...

Mobile pay start-up Square valued at $1 bln: report

Jun 29, 2011

A group of investors plan to buy a stake in Square that would value the mobile payment start-up at $1 billion even as it competes with much larger rivals, the Wall Street Journal reported Wednesday.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

AnneOminous
1 / 5 (1) Aug 06, 2011
Pleeeeease don't write "software program". It's redundant. It's like saying "automobile car". And it makes those of us in the industry cringe.

There are many different definitions for "program". But if it's software, it's a program. So there is no need to write both. If you want to get technical, not all software runs on what we normally think of as computers, so if you really feel the need to be specific, "computer software" or "home computer software" is perhaps overly descriptive in most circumstances, but at least it's not -- quite -- redundant.
anonperson
not rated yet Oct 03, 2011
typo:
when then figured out how to convert Square into a handy tool for cashing in on stolen credit cards.

when THEY

More news stories

Making graphene in your kitchen

Graphene has been touted as a wonder material—the world's thinnest substance, but super-strong. Now scientists say it is so easy to make you could produce some in your kitchen.