Researchers at the Black Hat security conference today revealed two ways the Square payment system, which turns any iPhone, iPad or Android into a point-of-sale credit card processor, could be used for fraud. Square a mobile gadget that enables Android, iPhone, iPad, and iPod touch users to accept credit card payments can be hacked to steal credit card data, with very little technical hardware required.
Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.
"The dongle is a skimmer. It turns any iPhone into a skimmer," Laurie said. To clone a card, "now you need less technical hardware to do it and no technical skills at all."
Laurie and Franken’s hack proves that the Square app cannot distinguish between a true swipe on the dongle and an audio file fed to the app without swiping. In theory, the team could buy stolen credit card data in underground online markets and start up a practically skill-free criminal shop.
The researchers, who are based in the United Kingdom, needed to have a U.S. bank account to test the system.