Update: Square has provided us with the following statement on the matter, stating that its products have special security measures and that the described problems are more of an industry-wide issue:
A new report out of Motherboard details how three recently graduated Boston University students have been able to easily hack the increasingly popular Square Reader. For those unfamiliar, Square Reader is an iOS accessory that allows retailers to easily accept credit and debit cards without having to spend the money on traditional point of sale terminals. Hackers have now discovered, however, a very easy way for merchants to steal card information from customers.
According to the report, the Boston University researchers have found a way to physically modify a current generation Square Reader and turn it into a card skimmer in under ten minutes. Once the physical modification is done, the device looks identical on the outside, allowing for continued, unquestioned use for the merchant. While physically modifying the device means that it won’t work with the Square app, hackers can still use it to store and record card information.
Another flaw the researchers discovered centers around the same principle of being able to record card names and information directly into a smartphone. The researchers say that they created a custom app to record the data, but they still haven’t decided if they will release it or not. In December of last year, the hackers were able to perform a similar type of scam with the then current generation model Square Reader, but that device has already been discontinued. Today’s revelation, however, works on the current generation Square Reader, although the company says they do not see it as a security threat.
In fact even if the tampered reader won’t work with the Square app anymore, it can still be used to scam customers. For example, a seller could just pretend the swipe worked and let the customer go, or pretend it didn’t go through and ask the customer to swipe again using a backup Square Reader, Mellen told me in an email.
You can read the full report here.
The custom app, which they called “Swordphish,” essentially automates that process, taking the recorded signal, storing it away, and decoding it into credit card information, the researchers said.
“We do not see it as a security risk,” a Square employee wrote in the bug report, published on the bug bounty service HackerOne, which Square uses to interact and reward independent security researchers. “In particular, it is not possible to process a stored swipe more than once.”
Moreover, the company claims that they are tracking delayed, out-of-order swipes as a sign of potential fraud, “so we’d probably notice if you started throwing too many of these into our system,” a Square employee told Moore in December of last year.
