Update: Square has provided us with the following statement on the matter, stating that its products have special security measures and that the described problems are more of an industry-wide issue:
This story is about issues with magnetic-stripe credit cards, not Square. In 2015, it should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable. That is why major credit card companies, lenders, and businesses are now embracing new, more secure, authenticated payment technologies. Square is helping to lead the way with our own card readers for chip cards and contactless payments.Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers. Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square.
A new report out of Motherboard details how three recently graduated Boston University students have been able to easily hack the increasingly popular Square Reader. For those unfamiliar, Square Reader is an iOS accessory that allows retailers to easily accept credit and debit cards without having to spend the money on traditional point of sale terminals. Hackers have now discovered, however, a very easy way for merchants to steal card information from customers.
Sylvania HomeKit Light Strip
According to the report, the Boston University researchers have found a way to physically modify a current generation Square Reader and turn it into a card skimmer in under ten minutes. Once the physical modification is done, the device looks identical on the outside, allowing for continued, unquestioned use for the merchant. While physically modifying the device means that it won’t work with the Square app, hackers can still use it to store and record card information.
When it came to tampering with the Square Reader and turning it into a credit card skimmer, the company claimed that’s not an issue, because if somebody breaks the device the way the researchers did, it will stop working with the Square app. This response was “very frustrating” to the researchers, according to Mellen, because when they reported their method of altering the Square Reader to the company, Square dismissed it.
In fact even if the tampered reader won’t work with the Square app anymore, it can still be used to scam customers. For example, a seller could just pretend the swipe worked and let the customer go, or pretend it didn’t go through and ask the customer to swipe again using a backup Square Reader, Mellen told me in an email.
Another flaw the researchers discovered centers around the same principle of being able to record card names and information directly into a smartphone. The researchers say that they created a custom app to record the data, but they still haven’t decided if they will release it or not. In December of last year, the hackers were able to perform a similar type of scam with the then current generation model Square Reader, but that device has already been discontinued. Today’s revelation, however, works on the current generation Square Reader, although the company says they do not see it as a security threat.
“I can take that signal and convert it using a decoder freely available online, and then I have your credit card information,” Mellen told Motherboard.
The custom app, which they called “Swordphish,” essentially automates that process, taking the recorded signal, storing it away, and decoding it into credit card information, the researchers said.
“We do not see it as a security risk,” a Square employee wrote in the bug report, published on the bug bounty service HackerOne, which Square uses to interact and reward independent security researchers. “In particular, it is not possible to process a stored swipe more than once.”
Moreover, the company claims that they are tracking delayed, out-of-order swipes as a sign of potential fraud, “so we’d probably notice if you started throwing too many of these into our system,” a Square employee told Moore in December of last year.
You can read the full report here.