According to news coming out of the Black Hat security conference this week, researchers have figured out a way to use the Square mobile payments system to access stolen credit card data. The ingenious thing about the hack demonstrated is that criminals would not even need to have the original stolen card present in order to use Square for fraud. Instead, they can convert magnetic stripe data into an audio file, use a stereo cable to feed it into the Square device (a small dongle that plugs into your smartphone’s headphone jack), and – ta-da! – the illegal transaction completes.
This hack turns the Square reader, a dongle meant to support swiped transactions, into one that can be used for electronic-only transactions, reports CNET. Creative? Yes. A real-world concern? We’re not so sure.
However, a second hack, which turns the dongle into a card skimmer is of more concern. And it begs the question: where is the hardware encryption Square promised us earlier?
Researchers Adam Laurie and Zac Franken, directors of Aperture Labs, discovered two different ways to hack Square, which they demonstrated at the conference. The first, which turns Square into a device that accepts cardless transactions, while interesting, is not as distressing as the second hack, we believe. In order for the first hack to work, it would seemingly have to involve a fraudulent merchant account, since the hardware involved would eliminate the possibility of face-to-face transactions.
It’s Hard to be a Fraudulent Merchant on Square
But it’s hard to create a dummy merchant account on Square, despite its “open to all” nature.
Besides simply making it easier for any individual to accept credit cards at dramatically lower rates, the Square system also takes advantage of the smartphone’s sensors itself to determine a device’s location when the card is swiped. Transactions that show a San Francisco Bay resident has all of a sudden gone on a shopping spree somewhere across the country, for example, would be an obvious red flag to Square’s risk management department, just as it would be for those using traditional credit card systems. And Square’s risk management is done in-house, in real-time. So far, that’s been a successful strategy for the company – its fraud protection rate of 0.05% is lower than the industry average of 0.07% and has remained consistent over time.
In addition, one of Square’s less-talked about features is its ability to track device IDs alongside these geo-coordinates and then cross-reference those with social signals. Yes, social media signals. When new merchant accounts are verified, Square looks at their social footprint: their Facebook page and number of fans, their Yelp reviews, Twitter followers and retweets, blog posts, Flickr photos, Google Street view, etc. All these things are taken into consideration before a merchant is determined to be a “real” person, and not a dummy account of some sort.
This matters because the hack in question would seemingly necessitate a dummy merchant account in order to work. After all, what merchant would let a criminal attach some sort of contraption to their smartphone during a face-to-face transaction?
Square as Credit Card Skimmer: This is the Real Concern
From the sounds of it, the above hack is not as worrisome as the second, which turns the Square reader into a credit card skimmer. This is the same sort of issue that VeriFone CEO Douglas Bergeron raised in March, posting an open letter to his company’s website warning consumers of the dangers involved with Square’s technology. Using the Square reader and a fake Square application, VeriFone was able to turn the Square device into a free skimming machine.
While reporters from sites like GigaOm, TechCrunch and Gizmodo initially attacked VeriFone as waging a smear campaign against its competitor, the issue it raised, however indelicately, was valid. The Square dongle did not include hardware encryption, which is (and should be) a concern. Without encryption, hacks that turn the dongle into a free credit card skimmer are not just possible, they’re easy to do.
Laurie and Franken demonstrated their variation of this hack at the conference, using a program that included less than 100 lines of code.
Soon after the VeriFone debacle, Square itself admitted that hardware encryption was a necessity. At a Visa conference in April, Square Security Lead Sam Quigley announced that Square would begin shipping dongles that offer hardware encryption sometime this summer. Well, summer’s almost up now, and apparently, the encrypted dongles aren’t yet available. Either that, or the researchers were using an older dongle to showcase their hack. Franken told CNET that he had heard Square would be shipping new dongles, but CNET was not able to reach Square to confirm. (Square is difficult to reach, for what it’s worth. We tried too.)
Update: Square has provided an official comment –
Like all credit card processors, we aggressively guard against the use of stolen credit cards- and we use traffic analysis and other patented methods to detect and prevent malicious activity.
While the ingenious nature of the first hack is notable, the complexities to implement it in the real world make it less of a danger to consumers and merchants alike. In addition, as CNET noted, federal anti-fraud bank regulations in the U.S make it difficult for fraudsters to set up dummy accounts, too. Laurie suggested that criminals could pay legitimate account holders to operate as Square money mules, but frankly, that’s a lot of effort when there are still much easier ways to commit fraud.
It’s the second hack that should be concerning. Where’s the hardware encryption that Square promised? When is it coming? Is it still coming? Why won’t Square respond to reporters’ questions about this?