Hackers Transform Square Reader Into Mobile Credit Card Skimmer Within Minutes
Three recently graduated students at Boston University warn that there are a couple of different ways for scammers to use a Square Reader device to steal credit card data. One of the methods involves physically altering the tiny credit card reader and turning it into a skimmer. For someone who knows what they're doing, the modification is "quick, easy, and cheap."
It only takes around 10 minutes to complete and applies to current generation Square Reader devices. And once modded, the skimmer "will still look exactly like the Square Reader." Even so, Square is dismissing the hack on the basis that an altered Square Reader will no longer work with the accompanying iOS app, which makes it a little more difficult (though not impossible) to scam customers.
The researchers found Square's response "very frustrating" because even if a modified reader won't work with the Square app, a seller can simply pretend the swipe worked and let the customer go on his or her merry way. Alternately, the seller could pretend they're having trouble with the modified reader after swiping a customer's card and then swipe it a again with a backup Square Reader.
John Moore, one of the three security researchers who reported the vulnerabilities, told Motherboard that these exploits "could potentially be a recipe for disaster." That's especially true since one of the methods doesn't even require any physical alterations to the reader.
Instead of turning the reader into a skimmer, the researchers created a custom app called "Swordfish" that can record the signal created by a credit card's magnetic strip when it's swiped. That information can later be played back through the Square app to charge the customer a second time.
So, is this something that people really need to be worried about, or is it much ado about nothing? A Square spokesperson reached out to HotHardware and provided the following statement:
It's also worth mentioning that credit card companies typically protect users against fraudulent transactions. In other words, the sky isn't falling, folks.
It only takes around 10 minutes to complete and applies to current generation Square Reader devices. And once modded, the skimmer "will still look exactly like the Square Reader." Even so, Square is dismissing the hack on the basis that an altered Square Reader will no longer work with the accompanying iOS app, which makes it a little more difficult (though not impossible) to scam customers.
The researchers found Square's response "very frustrating" because even if a modified reader won't work with the Square app, a seller can simply pretend the swipe worked and let the customer go on his or her merry way. Alternately, the seller could pretend they're having trouble with the modified reader after swiping a customer's card and then swipe it a again with a backup Square Reader.
John Moore, one of the three security researchers who reported the vulnerabilities, told Motherboard that these exploits "could potentially be a recipe for disaster." That's especially true since one of the methods doesn't even require any physical alterations to the reader.
Instead of turning the reader into a skimmer, the researchers created a custom app called "Swordfish" that can record the signal created by a credit card's magnetic strip when it's swiped. That information can later be played back through the Square app to charge the customer a second time.
Square's Take
So, is this something that people really need to be worried about, or is it much ado about nothing? A Square spokesperson reached out to HotHardware and provided the following statement:
This story is about issues with magnetic-stripe credit cards, not Square. In 2015, it should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable. That is why major credit card companies, lenders, and businesses are now embracing new, more secure, authenticated payment technologies. Square is helping to lead the way with our own card readers for chip cards and contactless payments.
Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers. Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square.
It's also worth mentioning that credit card companies typically protect users against fraudulent transactions. In other words, the sky isn't falling, folks.
