Read Write Web has an interesting article up covering potential Square credit card reader vulnerabilities. To catch up, Square is a card reader designed by Jack Dorsey (inventor of Twitter), and allows people to take credit card payments with their iPhones. They also act as the credit card processor, cutting out traditional merchant account providers & transaction hardware manufacturers.

Anyway, at this year’s Black Hat security conference, a couple presenters figured out a couple ways to exploit the Square payment system, either by accepting cardless transactions or by skimming card data into a secondary app. One method involved converting track data as an audio signal, then piping it into the software through the headphone jack. The second and more useful method allows the Square card reader to send credit card data to another app, which is a little more disconcerting.

The card skimming exploit outlined in the article requires a jailbroken iPhone, custom software that reads the input data from the Square reader, and a Square reader. In this way, it’s remarkably easy to capture and store credit card data. The software could even be designed to look like the Square processing software, further adding to the illusion of a safe transaction.

The crux of the article was that hardware encryption would render this technique moot, and that’s a great point to make. Encrypting the data before it’s even sent to the iPhone/iPad makes it nigh impossible to turn the encrypted gibberish into legitimate credit card data. However, there are already a ton of unencrypted Square readers now in the wild, and on Ebay for a couple bucks, so the potential for fraud sticks around. I emailed Square to find out if, when the encrypted readers come out, they’ll exchange them with existing customers, but haven’t heard back.

While it is a little scary to think of iPhones as a new vector for committing fraud, the steps required to achieve it are a little steeper than exist for standard retail PCs with credit card readers attached. Most POS systems in retail & restaurant locations run some flavor of Windows and are connected to the internet to process transactions. But that also means they’re connected to the internet for idle people to surf the web, catch malware, and generally cause problems. Grabbing an encrypted card reader for your business or even switching to a separate payment terminal can definitely mitigate these issues.

So to sum up: Square credit card readers can potentially be used for evil. So can regular credit card readers. As a customer, don’t hand your card over unless you trust the business or person running the transaction. As a merchant, make sure you have methods in place to prevent your customers’ credit card data gets in the wrong hands.

%d bloggers like this: