Researchers attending the Black Hat security conference on Thursday demonstrated two ways in which Square — a mobile gadget that enables Android, iPhone, iPad, and iPod touchusers to accept credit card payments — can be hacked to steal credit card data, with very little technical hardware required and “no technical skills at all.”
Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.
Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.
In order to bypass the need to swipe a card, Laurie wrote a simple program — in less than 100 lines of code — that enables him and Franken to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that file is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.
Laurie and Franken’s hack proves that the Square app cannot distinguish between a true swipe on the dongle and an audio file fed to the app without swiping. In theory, the team could buy stolen credit card data in underground online markets and start up a practically skill-free criminal shop.
The duo was also able to pull money from a Visa gift card that is not officially allowed to be “cashed out.”
Square is due for an update and Franken noted that he heard the company is planning to release new dongles that encrypt credit card data. We’ve reached out to Square for comment and are awaiting response.