Square reader to card skimmer in less than 10 minutes

Two self-described hackers have shown the Black Hat audience how to convert a Square mobile payments reader into a credit card skimmer.
Written by Asha Barbaschow, Contributor

Two American self-described hackers have shown how to turn the latest model Square mobile payments readers into crime tools at the Black Hat computer security conference in Las Vegas.

Independent security researchers Alexandrea Mellen and John Moore were at the conference on Thursday to demonstrate hacks targeting Square software or the dongle that plugs into audio jacks to read credit card magnetic strips.

"We converted a Square Reader into a credit card skimmer in under 10 minutes," Mellen said.

"Any layman could do it."

She said the hardware hack can be done with simple tools including a screwdriver, wire and soldering iron, and that most of the time involved was spent carefully popping open the reader that Square provides to users of its mobile payments application.

Inside the reader, a wire is soldered between two points to bypass an encryption chip.

After that, unscrambled information from swiped credit cards can be collected, essentially stolen, to be sold on a black market or abused in other ways, according to Mellen.

On the software side, Moore provided details about a mobile application that enables a "playback attack" that allows merchants to charge customers for bogus transactions in the weeks or months after legitimate purchases are completed.

"We find this troubling because unless you are closely watching your credit card statements, you might not notice," said Moore, a recent Boston University graduate on his way to a job with Google.

Moore said that he and Mellen, also a recent Boston University graduate, targeted the Square Reader because the company, headed by Twitter co-founder Jack Dorsey, is a leader in a booming trend of using smartphones for real-world financial transactions.

"Square, given its size and a bug bounty program, is no easy target," Moore said.

"We suspect the vulnerabilities we found in Square might easily apply to other mobile point-of-sale service providers," Moore said.

New hardware and software is quickly being fielded in the competitive mobile payments market, with pressure on to keep plug-ins compact and inexpensive, according to Moore.

Mobile payments software needs to be compatible with a variety of mobile phones, which can't be secured as easily since they are used for many more purposes than making purchases.

Moore referred to the combination of factors as "a recipe for disaster". The hackers said they made their findings available to San Francisco-based Square but are not convinced fixes are planned.

Moore said Square told him they were watching for the kinds of bogus transactions that could be generated by "playback" hacks.

"They have the information to see the swipe of the credit card was taken weeks ago," Moore said.

In a statement to AFP, Square put the fault on credit cards that continue to rely on storing data on magnetic strips, the technology for which dates back to the bygone era of cassette tapes.

"It should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable," a Square spokesperson said.

"That is why major credit card companies, lenders and businesses are now embracing new, more secure, authenticated payment technologies."

Those technologies include embedding cards with chips that transmit data wirelessly to sensors at checkouts.

Square maintained that any credit card reader on the market could be tampered with, but that the company takes precautions to protect cards swiped on unencrypted readers.

"We have processes in place to prevent malicious behaviour on damaged readers," Square said.

"If our encrypted readers are damaged, they will not work with Square."

Square recently announced collaboration with Apply Pay, the iPhone maker's NFC-based contactless payment system, which would allow consumers to pay via Apple Pay on Square NFC readers.

In Australia, it is approaching a year since EMV -- Europay, MasterCard, Visa chip technology -- became mandated across all card payment terminals in Australia. As of April this year, Visa estimated there were more than 100,000 contactless terminals deployed, and over 75 million contactless transactions made per month within Australia. Additionally, 60 percent of all face-to-face payments were said to be contactless in Australia.

Australian bank Westpac predicted that contactless payments via mobile would reach just under AU$3 billion by the end of this year, with the company saying that devices integrated with NFC technology will become more prominent in the marketplace.

Samsung and MasterCard have also teamed up to take Samsung Pay to Europe, collaborating on a European launch that was announced last week.

Also shown at Black Hat, the mobile security research team at Check Point reported a vulnerability in Android that affects devices made by major manufacturers including LG, Samsung, HTC, and ZTE.

The attack -- christened Cerifi-Gate -- is claimed to be capable of taking complete control of Android devices. The security hole works by using the mobile Remote Support Tool (mRST) app's security certificates to gain privileged access rights. These remote support applications, which are often pre-installed, and have root level access to Android devices.

Check Point said that there is not much you can do after you have realised your device has been compromised.

"The problem is further intensified because vulnerable apps cannot be completely revoked. Even after a fixed version is released, an attacker could use the old version to get control of the device."

IT security firm Cognosec highlighted vulnerabilities in the IoT standard, ZingBee at Black Hat. Cognosec discovered a flaw that leaves devices open for man-in-the-middle attacks and device hijacking.

Cognosec found that it is possible to compromise ZigBee networks and take over every IoT device connected to a hub.

With AAP.

Editorial standards