Hack turns Square into criminal tool

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Adam Laurie and Zac Franken of computer security firm Aperture Labs used a homemade software program and an easily bought iPad audio wire to trick Square in a way that could be a bonanza for crooks.

Laurie could type credit card numbers into his laptop, which converts to sound data sent to Square, where the transaction registers as if a real card were swiped in a dongle.

"Traditionally, the way you make money from stolen credit cards is sell the data to someone else or buy goods on it, then resell the goods and get the cash," Laurie said while demonstrating the hack at a Black Hat computer security gathering in Las Vegas.

"This really takes the hassle out of it... I can put the money right in the account and it only costs me 2.75 percent."

The percentage he cited was the fee charged by Square, which was co-founded by Jack Dorsey, a Silicon Valley star who helped create popular micro-blogging service Twitter.

Square markets a pocket-sized credit card reader that can be plugged into a smartphone to allow anyone to accept credit or debit card payments on the spot.

Franken and Laurie, whose hacker name is "Major Malfunction," said that they were waiting for a flight at an airport when then figured out how to convert Square into a handy tool for cashing in on stolen credit cards.

Laurie realized that the Square "dongle" used to swipe credit cards plugged into an iPad audio jack, indicating that the small device essentially converted magnetic stripe data to sound then interpreted by the service's software.

He quickly modified software he wrote five years earlier for reading and replicating magnetic stripe data.

Franken and Laurie strolled to an airport shop and bought a wire to plug his laptop into the iPad jack where the dongle would have gone.

"Credit card data is getting skimmed all the time," Laurie said, holding up a pre-paid credit card he used for the demonstration. "Instead of buying this I could have bought it on the Internet from a criminal gang."

Funds are dumped into an individual's Square account to be removed before anyone catches on, according to the hackers.

"You'd have to set up dodgy accounts that don't trace back to you," Laurie said. "But, that is standard practice."

Laurie and Franken said that they shared their findings with Square in February only to be told that it wasn't seen as a threat and that traffic analysis would expose those kinds of transactions.

The hackers had also heard unconfirmed reports that Square planned to release new dongles that encrypt transaction data.

"Encryption would be a good thing," Franken said. "The way it is at the moment a cable between two devices and you can inject credit card numbers right into the system," he continued.

Since Square promises to have money from transactions in accounts within a day, money milked from stolen credit card data could be made off with quickly provided amounts were extreme enough to be noticed, Franken said.

Tweet