Researchers at the Black Hat security conference on Thursday revealed ways in which the Square payment system, which turns any iPhone, iPad or Android into a point-of-sale credit card processor, could be used for fraud.
Square provides a card-reading dongle that plugs into a smartphone or an iPad, working alongside a mobile app to carry out the transaction. To take a payment, the Square user swipes the customer’s card through the dongle. The service has generated $4m daily for Square, according to the company.
Privacy and consumer safety is always a topic of consideration when it comes to mobile apps, especially those that handle money. A couple of researchers have uncovered how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.
Adam Laurie and Zac Franken of computer security firm Aperture Labs used a homemade software program and an easily bought iPad audio wire to trick Square in a way that could be a bonanza for crooks.
Laurie could type credit card numbers into his laptop, which converts to sound data sent to Square, where the transaction registers as if a real card were swiped in a dongle.
“Traditionally, the way you make money from stolen credit cards is sell the data to someone else or buy goods on it, then resell the goods and get the cash,” Laurie said while demonstrating the hack at a Black Hat computer security gathering in Las Vegas.
“This really takes the hassle out of it… I can put the money right in the account and it only costs me 2.75 percent.”
The hack proves that the Square app cannot distinguish between a true swipe on the dongle and an audio file fed to the app without swiping. In theory, the team could buy stolen credit card data in underground online markets and start-up a practically skill-free criminal shop.
The duo was also able to pull money from a Visa gift card that is not officially allowed to be “cashed out.” They were also able to successfully skim a card using the dongle.
Square is due for an update and Franken noted that he heard the company is planning to release new dongles that encrypt credit card data. Encryption is key when it comes to mobile transaction tools, as McAfee reveals several issues with the online banking industry that gravely affect the consumer. When it comes to Square in particular, we’ve been hearing rumblings of potential security issues from ROAM, a company familiar with the industry. ROAM insists that such payments still need a “middleman” in order to ensure consumer safety and privacy, noting several of Square’s shortcomings.
[...] article: Square Fraud was Inevitable. Encryption, Anyone? Posts Related to Square Fraud was Inevitable. Encryption, Anyone?ESET Partners with Internet Fraud [...]
[...] security is certainly a valid concern. With companies like Square being on the frontline of mobile payments technology, they’ve also been the ones to suffer [...]
[...] By pairing the Device DNA to each transaction, Payfone is able determine if a transaction is from a lost or stolen mobile device or if the owner of the mobile account has changed. It’s an important focus on mobile transaction security, as the industry faces a number of challenges in this arena. Still a relatively young industry, mobile payments has already seen a few hiccups, the latest outlined in the discovery of Square’s mobile app fraud potential. [...]
[...] Square’s security flaws were made public at the Black Hat convention, they just released an update for iOS, version 2.1, on [...]
[...] Square’s security flaws were made public at the Black Hat convention, they just released an update for iOS, version 2.1, on [...]