At the recent Black Hat Technical Security conference in Las Vegas, two researchers from the UK-based Research and Development Company, Aperture Labs, demonstrated the easy hackability of the Square payment system. Square is the mobile payment technology that turns any iPad, iPhone or Android mobile device into a point of sale credit card processor. It’s made possible just with the aid of a “pocket-sized credit card reader that plugs into your phone’s audio jack,” according to their website. Aperture Labs directors Adam Laurie and Zac Franken revealed not only one, but two, ways to commit credit card fraud using Square.
“The dongle is a skimmer. It turns any iPhone into a skimmer,” Laurie said at Black Hat, as reported by cnet.com. It makes life easier for thieves looking to clone a card because, “now you need less technical hardware to do it and no technical skills at all.” Therefore: nearly anyone with the right knowhow can become a criminal.
During a legitimate transaction, Square converts the data gleaned from the magnetic swipe strip on a credit card into an audio file, which is then transmitted for authorization to the card issuer. Laurie and Franken demonstrated how, by using a code that is relatively simple to generate, hackers can convert the data gathered from the stolen magnetic strips. They use a microphone to transform them into audio files, which can then be submitted for processing directly to the Square app, no card needing to be physically present.
The cloning of cards is also possible bysimilar means. The thief swipes a card to grab magnetic strip data, converting it into audio, then, using the same code as before, translates the audio into credit card information.
All this is feasible because Square’s card reader dongle doesn’t currently employ any means of encrypting or authenticating card data.
The Wall Street Journal reports that Aperture’s Laurie and Franken have disclosed the dongle’s vulnerability to Square several months ago and Laurie reassured those present at Black Hat that there’s no risk to people using Square. Franken claimed that Square is in the process of issuing new dongles that encrypt the data.