Security researchers at the Black Hat Briefings demonstrated a method for turning purloined credit card information into cash, this time using Square, a free credit card reader that promises to turn anyone with a mobile device into a merchant capable of accepting credit card payments.
Adam Laurie and Zac Franken of Aperture Labs said showed off a method for demonstration on Thursday at the Las Vegas security conference, using a freely available software program to emulate the Square reader and conduct a transaction over the company’s transaction processing service.
The hack occurred to Laurie during an airport layover, when he read about the Square technology, which converts magnetic stripe data into audio signals that are then read by a software application and used to process transactions through Square merchant accounts. The description rang a bell with Laurie, who had demonstrated a similar program at DEFCON in 2006 that could be used to bypass magnetic stripe hotel door cards and credit cards. Modifying that simple application to emulate the Square reader was an easy matter, Laurie said.
Square did not immediately respond to a request for comment.
When modified, the program translated raw magnetic stripe data into the audio pulses that the Square application needs to initiate transactions. Laurie and Franken demonstrated their attack using a stored value credit card, run through a USB card reader. That data was sent, via a standard audio cord, to an Apple iPad running the Square merchant application, which received the audio data and prompted Laurie and Franken to enter an amount for the transaction. They charged $2 off the stored value card, which was then deposited in the Square merchant account.
Though a legitimate stored value credit card was used for their demonstration, Franken and Laurie said that a malicious user could easily substitute that with raw credit card magstripe data purchased online. That could lower the bar for cyber criminals to turn stolen credit cards and identities into cold, hard cash – the most challenging aspect of cybercrime today.
Traditionally, there have been only a few ways to make money off of stolen identity information: selling it directly online in the underground market, or the stolen information could be used to purchase merchandise online or in person, which could then be sold second hand and turned into cash that way. The Square reader emulator removes at least one of those intermediate steps by allowing cyber criminals to send money directly to a bank account they control through the Square service, the researchers contend.
The demonstration comes with a lot of caveats. First: individuals who want to set up a merchant account on Square must provide an address, Social Security Number and legitimate US bank account and bank routing number. Cyber criminals would at least need that quantity of stolen information to set up a Square account. Providing it would be a barrier that would likely turn away many would be thieves. Second: bank fraud detection systems flag a high volume of fraudulent transactions through Square, making high volume of transactions unlikely.
Franken and Laurie said the main vulnerability on show was the U.S.’s continued reliance on highly insecure magnetic stripe technology for credit cards, which persist long after other countries have transitioned to more secure “Chip and PIN” cards. Mag stripe credit and prepaid gift cards are a popular target for both sophisticated criminal syndicates and common criminals. Both investment in and research and development on contactless payments lag in the U.S., which has become the market of choice for cyber criminals, given the weak protections for credit- and debit cards.
However, Square’s decision not to encrypt data transfers between the reader and its application, or require its card readers to authenticate to the Square software make cloning a card reader a trivial matter, they say.
The confluence of ubiquitious mobile devices and a wave of mobile payments is widely seen as a fruitful area for fraudsters. In recent months, researches have demonstrated how malicious software, installed on mobile devices, could be used to siphon off credit card and payment data stored on- or processed through mobile devices using services like Square.