Researchers find avenues for fraud in Square – CNET mastercard securecode verified by visa

Zac franken, director at aperture labs, holds up the square device for processing credit cards with a mobile device. His company has just discovered two ways to steal credit card data using square.

Seth rosenblatt/CNET

LAS VEGAS–researchers at the black hat security conference today revealed two ways the square payment system, which turns any iphone, ipad or android into a point-of-sale credit card processor, could be used for fraud.

Adam laurie and zac franken, directors of aperture labs, discovered that they can transfer money from a stolen card into their bank account associated with square without having to swipe a card through the square dongle card reader. To do this, they used code written by laurie that lets them feed magnetic stripe data from a stolen card into a microphone and convert it into a sound file.Mastercard securecode verified by visa

they then played that file–a series of beeps–into the square device via a stereo cable which transmitted the data directly into the square app.

That effectively turns a merchant system that is designed to only accept physical cards for transactions into one that can be used for electronic-only transactions, enabling fraudsters to easily use stolen card data for transactions without having to create cloned cards and go to a store to make purchases or know pins.

Laurie said he skimmed a credit card himself using a normal skimming device for his test, but he could have acquired stolen credit card data that is available in bulk on underground marketplaces on the internet. The pair demonstrated the attack in a news conference.

The researchers said they also discovered that the square dongle can be used to skim data from cards in order to make cloned cards because the devices do not use encryption or authentication.Mastercard securecode verified by visa the magnetic stripe card data can be grabbed by plugging the square dongle into the audio input in the mobile device and laurie’s special code converts the audio into the human readable credit card data.

The dongle is a skimmer. It turns any iphone into a skimmer, laurie said. To clone a card, now you need less technical hardware to do it and no technical skills at all. Zac franken, left, and adam laurie, both directors at aperture labs, discovered that the square system for processing credit cards on mobile devices was easy to hack.

Seth rosenblatt/CNET

There are plenty of skimming machines available for purchase online, but they are specialized. This lowers the bar by giving anyone with a mobile device and a square dongle the ability to skim a card while pretending to perform a legitimate transaction, laurie said, adding that this really takes the hassle out of skimming.Mastercard securecode verified by visa

In their demonstration, which they repeated during a session, the researchers swiped a visa gift card through a square dongle to put money into their account, illustrating the ability to use the square system to effectively cash out gift cards.

You don’t need a card or a dongle to do this hack, laurie said.

Franken said he had heard that square was preparing to issue new dongles that encrypt the data. Square representatives did not immediately respond to an e-mail seeking comment. A square employee who was in the session said he was not authorized to comment.

Laurie said the researchers figured these fraud methods out in february and report them to representatives at square. But square didn’t see it as a significant threat, saying that there are easier ways to commit credit card fraud and that they can detect fraud through traffic analysis and other methods, laurie said.Mastercard securecode verified by visa