Researchers attending the Black Hat security conference on Thursday demonstrated two ways in which Square — a mobile gadget that enables Android, iPhone, iPad and iPod touch users to accept credit card payments — can be hacked to accept stolen credit card data, with very little technical hardware required and “no technical skills at all.”
Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.
Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.
In order to bypass the need to swipe a card, Laurie wrote a simple program — in fewer than 100 lines of code — that enables him and Franken to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that file is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.
The hack proves that the Square app cannot distinguish between a true swipe on the dongle and an audio file fed to the app without swiping. In theory, the team could buy stolen credit card data in underground online markets and start up a practically skill-free criminal shop.
The duo was also able to pull money from a Visa gift card that is not officially allowed to be “cashed out.” They were also able to successfully skim a card using the dongle.
Square is due for an update and Franken noted that he heard the company is planning to release new dongles that encrypt credit card data. We’ve reached out to Square for comment and are awaiting response.
[via: CNET]
More About: credit cards, data, data security, Mobile 2.0, mobile payments, security, SquareFor more Mobile coverage:Follow Mashable Mobile on TwitterBecome a Fan on FacebookSubscribe to the Mobile channelDownload our free apps for Android, Mac, iPhone and iPad
Posted on Fri, 05 Aug 2011 10:43:58 +0000 at http://feeds.mashable.com/~r/Mashable/~3/VygZceVlnuk/
Comments: http://mashable.com/2011/08/05/square-security/#comments
Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.
Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.
In order to bypass the need to swipe a card, Laurie wrote a simple program — in fewer than 100 lines of code — that enables him and Franken to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that file is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.
The hack proves that the Square app cannot distinguish between a true swipe on the dongle and an audio file fed to the app without swiping. In theory, the team could buy stolen credit card data in underground online markets and start up a practically skill-free criminal shop.
The duo was also able to pull money from a Visa gift card that is not officially allowed to be “cashed out.” They were also able to successfully skim a card using the dongle.
Square is due for an update and Franken noted that he heard the company is planning to release new dongles that encrypt credit card data. We’ve reached out to Square for comment and are awaiting response.
[via: CNET]
More About: credit cards, data, data security, Mobile 2.0, mobile payments, security, SquareFor more Mobile coverage:Follow Mashable Mobile on TwitterBecome a Fan on FacebookSubscribe to the Mobile channelDownload our free apps for Android, Mac, iPhone and iPad
Posted on Fri, 05 Aug 2011 10:43:58 +0000 at http://feeds.mashable.com/~r/Mashable/~3/VygZceVlnuk/
Comments: http://mashable.com/2011/08/05/square-security/#comments