Hackers turn Square readers into crime tools

August 6, 2015

John Moore and Alexandrea Mellen attend a Black Hack computer security conference  on August 6, 2015 in Las Vegas, Nevada
John Moore and Alexandrea Mellen attend a Black Hack computer security conference on August 6, 2015 in Las Vegas, Nevada
Hackers on Thursday showed how to turn the latest model Square mobile payments readers into crime tools.

Independent security researchers and self-described hackers Alexandrea Mellen and John Moore were at the Black Hat computer security conference in Las Vegas to demonstrate hacks targeting Square software or the dongle that plugs into audio jacks to read credit card magnetic strips.

"We converted a Square Reader into a credit card skimmer in under 10 minutes," Mellen told AFP.

"Any layman could do it."

She said the hardware hack can be done with simple tools including a screwdriver, wire and soldering iron, and that most of the time involved was spent carefully popping open the reader that Square provides to users of its mobile payments application.

Inside the reader, a wire is soldered between two points to bypass an encryption chip.

After that, unscrambled information from swiped credit cards can be collected, essentially stolen, to be sold on a black market or abused in other ways, according to Mellen.

Playback attack

On the software side, Moore provided details about a mobile application that enables a "playback attack" that allows merchants to charge customs for bogus transactions in the weeks or months after legitimate purchases are completed.

"We find this troubling because unless you are closely watching your credit card statements, you might not notice," said Moore, a recent Boston University graduate on his way to a job with Google.

Moore said that he and Mellen, also a recent Boston University graduate, targeted the Square Reader because the company, headed by Twitter co-founder Jack Dorsey, is a leader in a booming trend of using smartphones for real-world financial transactions.

Jack Dorsey, CEO of Square, holds up a credit card reader on September 12, 2012 in Detroit, Michigan
"Square, given its size and a bug bounty program, is no easy target," Moore said.

"We suspect the vulnerabilities we found in Square might easily apply to other mobile point-of-sale service providers."

An array of major Internet firms offer cash rewards, or bounties, for software bugs that can be exploited by hackers.

New hardware and software is quickly being fielded in the competitive mobile payments market, with pressure on to keep plug-ins compact and inexpensive, according to Moore.

Mobile payments software needs to be compatible with a variety of mobile phones, which can't be secured as easily since they are used for many more purposes than making purchases.

Moore referred to the combination of factors as "a recipe for disaster."

The hackers said they made their findings available to San Francisco-based Square but are not convinced fixes are planned.

Moore said Square told him they were watching for the kinds of bogus transactions that could be generated by "playback" hacks.

"They have the information to see the swipe of the credit card was taken weeks ago," Moore said.

Credit cards need upgrade

In a statement to AFP, Square put the fault on credit cards that continue to rely on storing data on magnetic strips, the technology for which dates back to the bygone era of cassette tapes.

"It should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable," a Square spokesperson said.

"That is why major credit card companies, lenders and businesses are now embracing new, more secure, authenticated payment technologies."

Those technologies include embedding cards with chips that transmit data wirelessly to sensors at checkouts.

Square maintained that any credit card reader on the market could be tampered with, but that the company takes precautions to protect cards swiped on unencrypted readers.

"We have processes in place to prevent malicious behavior on damaged readers," Square said.

"If our encrypted readers are damaged, they will not work with Square."

Explore further: Hack turns Square into criminal tool

Related Stories

Hack turns Square into criminal tool

August 5, 2011

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Virgin tycoon Branson invests in Square

November 8, 2011

Square, a start-up from a co-founder of Twitter, said Tuesday that Virgin tycoon Richard Branson has invested in the mobile payments company.

Recommended for you

Semimetals are high conductors

March 18, 2019

Researchers in China and at UC Davis have measured high conductivity in very thin layers of niobium arsenide, a type of material called a Weyl semimetal. The material has about three times the conductivity of copper at room ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.