Security researchers have come up with a way to turn the Square Reader into a tool for stealing data from credit cards. A group of recent graduates of Boston University will be speaking out about how they can modify the smartphone accessory, used to facilitate card payments via Square’s service, to allow any other app to intercept the data and use the card owner’s payment information for other, presumably illegal, uses.
Scheduled to speak at the Black Hat security conference in Las Vegas, the group warns that the manufacturers of card reader accessories are opening up their devices to compromise, in order to keep the cost of the item down and the size small. The use of lower-quality components and the reliance on direct communication with the smartphone is seen as weak points for mobile point of sale systems by the researchers, reports Motherboard.
Following a year of research into the Square Reader, John Moore, Alexandrea Mellen, and Artem Losev discovered a number of ways to break the security of the Square system, specifically to turn it into a credit card skimmer. The team can quickly take apart and tamper with the electronics within the reader, making it appear stock but not encrypting any data. While Square claims this prevents the reader from working with the Square app, the team reasons this could still make the accessory a more generic skimmer.
The team also claim to have come up with a method of getting the same data without modifying the Square Reader at all, using a form of man-in-the-middle attack. A custom app has been created that can record the signal created during the swiping process, which can then be replayed through the Square app at a later time to charge the card, or used with a decoder tool to access the card details. The “Swordphish” app is said to automate the process further, recording and decoding the signal for the user.
Despite the research, a Square employee claims the company does not “see it as a security risk,” adding “it is not possible to process a stored swipe more than once.” Also, Square is apparently tracking delayed and out-of-order swipes, noting them as signs of potential fraud.
Even so, the researchers are keen to highlight the potential security issues with card readers to customers of merchants using them. “Just because now we are able to process credit cards using our smartphones, it doesn’t mean that everything is just as secure as it has been in the past,” claims Moore, advising that people still need to worry about their personal information or accounts being used for fraudulent purposes.
