Researchers: Square Card Reader Provides Straight Line to Illicit Cash?

Security researchers at the Black Hat Briefings demonstrated a method for turning purloined credit card information into cash, this time using Square, a free credit card reader that promises to turn anyone with a mobile device into a merchant capable of accepting credit card payments. 

Square ReaderSecurity researchers at the Black Hat Briefings demonstrated a method for turning purloined credit card information into cash, this time using Square, a free credit card reader that promises to turn anyone with a mobile device into a merchant capable of accepting credit card payments. 

Adam Laurie and Zac Franken of Aperture Labs said showed off a method for demonstration on Thursday  at the Las Vegas security conference, using a freely available software program to emulate the Square reader and conduct a transaction over the company’s transaction processing service. 

The hack occurred to Laurie during an airport layover, when he read about the Square technology, which converts magnetic stripe data into audio signals that are then read by a software application and used to process transactions through Square merchant accounts. The description rang a bell with Laurie, who had demonstrated a similar program at DEFCON in 2006 that could be used to bypass magnetic stripe hotel door cards and credit cards. Modifying that simple application to emulate the Square reader was an easy matter, Laurie said. 

Square did not immediately respond to a request for comment. 

When modified, the program translated raw magnetic stripe data into the audio pulses that the Square application needs to initiate transactions. Laurie and Franken demonstrated their attack using a stored value credit card, run through a USB card reader. That data was sent, via a standard audio cord, to an Apple iPad running the Square merchant application, which received the audio data and prompted Laurie and Franken to enter an amount for the transaction. They charged $2 off the stored value card, which was then deposited in the Square merchant account. 

Though a legitimate stored value credit card was used for their demonstration, Franken and Laurie said that a malicious user could easily substitute that with raw credit card magstripe data purchased online. That could lower the bar for cyber criminals to turn stolen credit cards and identities into cold, hard cash – the most challenging aspect of cybercrime today. 

Traditionally, there have been only a few ways to make money off of stolen identity information: selling it directly online in the underground market, or the stolen information could be used to purchase merchandise online or in person, which could then be sold second hand and turned into cash that way. The Square reader emulator removes at least one of those intermediate steps by allowing cyber criminals to send money directly to a bank account they control through the Square service, the researchers contend. 

The demonstration comes with a lot of caveats. First: individuals who want to set up a merchant account on Square must provide an address, Social Security Number and legitimate US bank account and bank routing number. Cyber criminals would at least need that quantity of stolen information to set up a Square account. Providing it would be a barrier that would likely turn away many would be thieves. Second: bank fraud detection systems flag a high volume of fraudulent transactions through Square, making  high volume of transactions unlikely. 

Franken and Laurie said the main vulnerability on show was the U.S.’s continued reliance on highly insecure magnetic stripe technology for credit cards, which persist long after other countries have transitioned to more secure “Chip and PIN” cards. Mag stripe credit and prepaid gift cards are a popular target for both sophisticated criminal syndicates and common criminals. Both investment in and research and development on contactless payments lag in the U.S., which has become the market of choice for cyber criminals, given the weak protections for credit- and debit cards. 

However, Square’s decision not to encrypt data transfers between the reader and its application, or require its card readers to authenticate to the Square software make cloning a card reader a trivial matter, they say.

The confluence of ubiquitious mobile devices and a wave of mobile payments is widely seen as a fruitful area for fraudsters. In recent months, researches have demonstrated how malicious software, installed on mobile devices, could be used to siphon off credit card and payment data stored on- or processed through mobile devices using services like Square

Suggested articles

Discussion

  • Anonymous on

    Although the first run Square readers were not encrypting, and I have to conclude this hack was performed using one of those, Visa invested millions in Square in April and will require them to use encrypting stripe readers moving forward.

    I wonder if the author of this article was aware of that...?

    Square is a non-traditional product that caters to high-risk transactions and is part of Visa's overall goal to supplant Paypal if possible with solutions like P2P (which Visa just released) and non-traditional merchant solutions like Square.

    Traditional merchants who have underwritten accounts would be better served using something like ROAM data or Payware Mobile... products that use encrypting stripe readers.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.