Square Fraud was Inevitable. Encryption, Anyone?

Researchers at the Black Hat security conference on Thursday revealed ways in which the Square payment system, which turns any iPhone, iPad or Android into a point-of-sale credit card processor, could be used for fraud.

Square provides a card-reading dongle that plugs into a smartphone or an iPad, working alongside a mobile app to carry out the transaction. To take a payment, the Square user swipes the customer’s card through the dongle.  The service has generated $4m daily for Square, according to the company.

Privacy and consumer safety is always a topic of consideration when it comes to mobile apps, especially those that handle money.  A couple of researchers have uncovered how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Adam Laurie and Zac Franken of computer security firm Aperture Labs used a homemade software program and an easily bought iPad audio wire to trick Square in a way that could be a bonanza for crooks.

Laurie could type credit card numbers into his laptop, which converts to sound data sent to Square, where the transaction registers as if a real card were swiped in a dongle.

 “Traditionally, the way you make money from stolen credit cards is sell the data to someone else or buy goods on it, then resell the goods and get the cash,” Laurie said while demonstrating the hack at a Black Hat computer security gathering in Las Vegas.

“This really takes the hassle out of it… I can put the money right in the account and it only costs me 2.75 percent.”

The hack proves that the Square app cannot distinguish between a true swipe on the dongle and an audio file fed to the app without swiping. In theory, the team could buy stolen credit card data in underground online markets and start-up a practically skill-free criminal shop.

The duo was also able to pull money from a Visa gift card that is not officially allowed to be “cashed out.” They were also able to successfully skim a card using the dongle.

Square is due for an update and Franken noted that he heard the company is planning to release new dongles that encrypt credit card data. Encryption is key when it comes to mobile transaction tools, as McAfee reveals several issues with the online banking industry that gravely affect the consumer.  When it comes to Square in particular, we’ve been hearing rumblings of potential security issues from ROAM, a company familiar with the industry.  ROAM insists that such payments still need a “middleman” in order to ensure consumer safety and privacy, noting several of Square’s shortcomings.