Researchers highlight Square vulnerabilities

Posted by David Gomez

It looks like Square might want to stop cutting corners if they want to be taken seriously. Yesterday, researchers at the Black Hat security conference showed two ways in which the Square payment system could be used to commit fraud.

According to CNET News, the Square payment system that turns iPhones, iPads or Android phones into a point-of-sale credit card processor is deeply flawed. Adam Laurie and Zac Franken from Apeture Labs had no problem sharing their discovery that a user can transfer funds from a stolen card to their bank account linked to Square, without needing to scan a card via the Square dongle card reader. Yikes!

They proved it by using code written by Laurie that allows them to feed magnetic strip data from a pilfered card into a microphone and transform it into an audio file. Then they played the file - which is a series of R2D2 like beeps - into the Square apparatus through a stereo cable which diffused the data right into the Square app.
It basically turned the system into one that can be used for electronic-only transactions, allowing thieves to use stolen card information without the need for a cloned card. This glitch also keeps them from having to go to a store to make a purchase, and they don’t have to know the PIN either.
Laurie said that he skimmed a credit card himself utilizing a normal skimming device in his test, but he could have gotten stolen data from shady domains on the Internet. The two of them showed off their “attack” in a press conference.
They also said they made the discovery that the Square dongle can be used to take data from cards and turn it into a cloned card because the device has no encryption or authentication features. The magnetic strip data can be snatched by inserting the Square dongle into the audio input in the mobile device. Laurie’s little code turns the audio into credit card data that readable by the human eye.
"The dongle is a skimmer. It turns any iPhone into a skimmer," Laurie said. To clone a card, "now you need less technical hardware to do it and no technical skills at all."
Anyone can buy one of the numerous skimming machines available for purchase online, but they are designed for specialized tasks. "This lowers the bar" because it gives any jerk with a mobile device and a Square dongle the opportunity to skim a card while acting like they are performing a normal transaction, Laurie said. He also stated that "This really takes the hassle out of" skimming.
During their multiple demonstrations, the researchers scanned a Visa gift card through a Square dongle to place money into their account, which shows how easy it can be to use Square’s system to wipe out the cash on a gift card.
"You don't need a card or a dongle to do this hack," Laurie said.
Franken said that the buzz was that Square was getting ready to release new dongles that protect the data with encryption. Square’s people did not respond to requests for comment. A Square employee was in the audience during the demonstrations, and he had the difficult job of having to offering no comments to the press.
According to Laurie, they discovered these fraud techniques in February and reported them to officials at Square.  Square didn’t think it was a big deal and they said that they can monitor fraud with traffic analysis and through other means, Laurie said.
Supposedly the threat is mitigated by federal anti-fraud bank regulations in the U.S. that make it hard to set up fake accounts. But Laurie said that a little payola to people with real accounts would be an easy way to get around the regulations.
The U.K. based researchers needed a U.S. bank account to test the system. Franken says that it took less than 100 lines of code to write the program that can be used to steal from Square’s credit card system. That doesn’t seem like much work, especially for a hacker.