LAS VEGAS--Researchers at the Black Hat security conference today revealed two ways the Square payment system, which turns any iPhone, iPad or Android into a point-of-sale credit card processor, could be used for fraud.
Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that they can transfer money from a stolen card into their bank account associated with Square without having to swipe a card through the Square dongle card reader. To do this, they used code written by Laurie that lets them feed magnetic stripe data from a stolen card into a microphone and convert it into a sound file. They then played that file--a series of beeps--into the Square device via a stereo cable which transmitted the data directly into the Square app.
That effectively turns a merchant system that is designed to only accept physical cards for transactions into one that can be used for electronic-only transactions, enabling fraudsters to easily use stolen card data for transactions without having to create cloned cards and go to a store to make purchases or know PINs.
Laurie said he skimmed a credit card himself using a normal skimming device for his test, but he could have acquired stolen credit card data that is available in bulk on underground marketplaces on the Internet. The pair demonstrated the attack in a news conference.
The researchers said they also discovered that the Square dongle can be used to skim data from cards in order to make cloned cards because the devices do not use encryption or authentication. The magnetic stripe card data can be grabbed by plugging the Square dongle into the audio input in the mobile device and Laurie's special code converts the audio into the human readable credit card data.
"The dongle is a skimmer. It turns any iPhone into a skimmer," Laurie said. To clone a card, "now you need less technical hardware to do it and no technical skills at all."
There are plenty of skimming machines available for purchase online, but they are specialized. "This lowers the bar" by giving anyone with a mobile device and a Square dongle the ability to skim a card while pretending to perform a legitimate transaction, Laurie said, adding that "This really takes the hassle out of" skimming.
In their demonstration, which they repeated during a session, the researchers swiped a Visa gift card through a Square dongle to put money into their account, illustrating the ability to use the Square system to effectively cash out gift cards.
"You don't need a card or a dongle to do this hack," Laurie said.
Franken said he had heard that Square was preparing to issue new dongles that encrypt the data. Square representatives did not immediately respond to an e-mail seeking comment. A Square employee who was in the session said he was not authorized to comment.
Laurie said the researchers figured these fraud methods out in February and report them to representatives at Square. But Square didn't see it as a significant threat, saying that there are easier ways to commit credit card fraud and that they can detect fraud through traffic analysis and other methods, Laurie said.
However, the threat is significantly mitigated by federal anti-fraud bank regulations in the U.S. that make it difficult for fraudsters to set up dummy accounts. Laurie said the way around that would be to pay people to use their own accounts to link to the Square system and then transfer the money to the fraudsters, much like money mules are used to get stolen funds to overseas criminals in "work from home" and other online fraud schemes.
The researchers, who are based in the United Kingdom, needed to have a U.S. bank account to test the system.