A flaw in Square, the mobile payment service, enables criminals to convert stolen credit card details into cash, an expert said at last week’s Black Hat security conference. Adam Laurie of UK firm Aperture Labs demonstrated how to hack Square at the event and said it was possible because of the lack of encryption in the service’s free app and card-reader dongle. Square, whose service effectively turns smartphones and tablets into point-of-sale terminals, was told about the problem by Aperture back in February and said it would issue a new dongle with improved encryption, according to Laurie. Square was not available for comment.
Aperture’s Laurie, working with colleague Zac Franken, showed how Square’s service can be manipulated to transfer funds from a stolen credit card into a bank account without a physical card having to be swiped through the service’s card reader. Instead, Laurie has written code that enables a hacker to take data from a credit card’s magnetic stripe and convert it into a sound file which is then played through the Square device which transmits the card data into the service’s application. The Square service is only designed to accept physical cards but Aperture’s ruse enables electronic transactions to pass through it too. This means criminals can generate cash from stolen credit cards without having to create cloned cards and make physical purchases, or know the card’s PIN. Criminals who possess a user’s credit card number and authentication details still face the obstacle of how to turn the data into cash.
This is not the first time that Square has faced accusations about breaches in its security. Verifone, the US manufacturer of payment terminals, wrote an open letter back in March expressing concerns about the Square service. Doug Bergeron, Verifone’s CEO, wrote that “any reasonably skilled programmer can write an application that will skim a consumer’s financial and personal information right off the [user’s credit] card utilising an easily obtained Square card reader”.