Square Card Reader Vulnerabilities
August 9, 2011
Read Write Web has an interesting article up covering potential Square credit card reader vulnerabilities. To catch up, Square is a card reader designed by Jack Dorsey (inventor of Twitter), and allows people to take credit card payments with their iPhones. They also act as the credit card processor, cutting out traditional merchant account providers & transaction hardware manufacturers.
Anyway, at this year’s Black Hat security conference, a couple presenters figured out a couple ways to exploit the Square payment system, either by accepting cardless transactions or by skimming card data into a secondary app. One method involved converting track data as an audio signal, then piping it into the software through the headphone jack. The second and more useful method allows the Square card reader to send credit card data to another app, which is a little more disconcerting.
The card skimming exploit outlined in the article requires a jailbroken iPhone, custom software that reads the input data from the Square reader, and a Square reader. In this way, it’s remarkably easy to capture and store credit card data. The software could even be designed to look like the Square processing software, further adding to the illusion of a safe transaction.
The crux of the article was that hardware encryption would render this technique moot, and that’s a great point to make. Encrypting the data before it’s even sent to the iPhone/iPad makes it nigh impossible to turn the encrypted gibberish into legitimate credit card data. However, there are already a ton of unencrypted Square readers now in the wild, and on Ebay for a couple bucks, so the potential for fraud sticks around. I emailed Square to find out if, when the encrypted readers come out, they’ll exchange them with existing customers, but haven’t heard back.
While it is a little scary to think of iPhones as a new vector for committing fraud, the steps required to achieve it are a little steeper than exist for standard retail PCs with credit card readers attached. Most POS systems in retail & restaurant locations run some flavor of Windows and are connected to the internet to process transactions. But that also means they’re connected to the internet for idle people to surf the web, catch malware, and generally cause problems. Grabbing an encrypted card reader for your business or even switching to a separate payment terminal can definitely mitigate these issues.
So to sum up: Square credit card readers can potentially be used for evil. So can regular credit card readers. As a customer, don’t hand your card over unless you trust the business or person running the transaction. As a merchant, make sure you have methods in place to prevent your customers’ credit card data gets in the wrong hands.
Netswipe Webcam-Based Card Reading
July 26, 2011
A lot of brilliant people are making some phenomenal progress in credit card processing and card security methods, and this new method of using your webcam to capture credit card data for purchases sounds intriguing.
They have some of the nitty gritty in the press release, but I’ll try to break it down somewhat. Right now when you buy stuff online, you have to manually enter your credit card data. And a lot of personal data. I think most retailers require billing address, CC number, CVV, and blood type. All this data is encrypted a TON and fired off to the retailer, who then runs the card and sends you some coulottes or mustache wax. I buy weird stuff. What’s really unfortunate is that the data can still be compromised/captured en route to the PC via keyloggers and other assorted malware designed to steal your stuff.
Enter Jumio and Netswipe. Rather than hand enter data, your webcam opens a secure connection to an authentication service, and you hold your card in front of the webcam while it gets a read. It might also see your messy apartment, but I don’t think it will judge. You use your mouse to enter the CVV so keyloggers just see some clicks, and the transaction’s complete. They mention that this could be used at businesses as well, my guess would be via a 2D barcode scanner that can also capture images.
I think Netswipe has the potential to minimize a lot of fraud that occurs online. You actually need the card to make the transaction, so you cut back potential users to those who own the card, or may have physically stolen it. Although a well-printed duplicate may also work, I’m not sure how that plays out. Since the CVV is entered by mouse clicks instead of keystrokes, you also eliminate another chunk of data that could be stolen.
My only worry would be malware designers building for this new capture method, where they either capture the video stream, or set the camera to take a still image after the transaction’s complete, so then they get a nice crisp image of the card instead of the keyboard-entered data. But I’m sure the Jumio developers are looking at a variety of ways to minimize abuse.
In the meantime, there are methods to secure transactions at the point of sale. The MagTek Centurion card reader offers hardware encryption that is only decrypted by your credit card processor. I’ve mentioned previously that businesses are starting to get fined for data breaches, so taking steps to secure sensitive data now will definitely save you time and money in the long run.
Why PCI Compliance Is Important
March 31, 2011
PCI Compliance has (to me) seemed like a pretty big boogeyman over the years. Like a method for credit card processors to enact higher rates on businesses who aren’t following very specific and esoteric rules for data encyrption. Data security is vital in business, especially when it’s customer data like credit cards and addresses and such. But a lot of the rules always felt like overkill.
After hearing about a restaurant chain in Boston being fined $110,000 for a data breach, I can see why PCI Compliance is going to be more and more important. The business in question had malicious software unknowingly installed onto one of their PC’s, giving a third party access to credit and debit card info. The software wasn’t detected for 8 months, including the holiday season, so a lot of customer data could have been lifted.
Massachusetts has one of the strictest data breach policies in the country, as well as the most difficult to spell name, but it doesn’t take away the fact that this business could’ve taken meager steps to eliminate this problem. Antivirus/Antimalware software could have probably caught this issue quickly, but an even better step would be to limit employee access to the web on payment terminals. If they can’t connect to malicious sites, they can’t download malicious code. And if it comes from someone installing software from portable media, you have a bigger issue at your business than PCI Compliance.
However, if your merchant account provider can swing it, a really easy way to secure customer credit and debit data is to get an encrypted credit card reader, like MagTek’s Centurion. The reader is programmed by your credit card processor and uses hardware in the device itself to encrypt card data, which is decrypted by the processor upstream. So now even if your computer is festooned with malware, viruses, trojans, and every other piece of horrific software, all they can get is gibberish. Hard to commit fraud with gibberish.
