To top
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on LinkedInEmail this to someone

Buyer beware! Customers paying for goods and services at businesses that use the increasingly popular Square Reader to conduct their transactions may want to think twice about swiping their credit cards through them: researchers at Boston University have turned the useful card reading phone attachment into a skimming device that can steal a customer’s credit card information.

In less than 10 minutes, and using common household items like glue and a screwdriver, three Boston University graduate students tampered and tinkered with a Square Reader, disabling the encryption that protects credit card data from being transmitted to the smartphone using it. They plan to unveil their findings and method at the Black Hat security conference this week in Las Vegas.

Because mobile point of sale systems like Square are so small and cheap, manufacturers have to make compromises that result in decreased levels of security. Lower quality materials that are directly integrated to work with smartphones make ripping information from the readers and storing them in smartphones a sizeable security concern.

With no external aesthetic tell keying in watchful consumers to potential fishy business going down, it’s quite simple for a manipulative business owner to scam customers using a tweaked version of the Square Reader.

Square has responded to the research conducted by students John Moore, Alexandrea Mellen and Artem Losev, saying that a tampered Square Reader won’t configure with the Square app, the program that runs and processes transactions from the physical reader. The students counter these claims, noting that a modified reader can still be used as a generic credit card skimmer.

Even with an unaltered, encrypted reader, a sneaky, slimy seller can log credit card swipes into their smartphone and access that information later to conduct fraudulent transactions. A custom app they developed called Swordphish enabled the students to record the signal emanated when a credit card’s magnetic strip is swiped, allowing them to play it back through the app at a later time. Even without the app, they were able to use free online decoders to convert the signals they acquired.

In response to this claim, Square dismissed it as merely a bug in their system, saying it posed no real security threat in a report on HackerOne, a forum the company uses to interact with and laude independent security researchers. Square remains adamant as well that they watch over any sketchy activity in merchants that use their readers, taking special note of suspicious sequences of swipes, or swipes that are delayed, as probable signs of fraud.

Nevertheless, despite Square’s hearty attempts to downplay the findings of these researchers, the point still remains – these new card reading technologies aren’t full-proof and customers, especially in this digital age, should be mindful of how easy a scam or hack like the one that can performed on Square’s reader can pose a potential threat to their private, financial information. The antiquated method of paying for things with cold, hard cash is starting to look rudimentarily safer in hindsight. If it ain’t broke…

Leave a Reply

We are on Instagram