We're thrilled to announce the return of GamesBeat Next, hosted in San Francisco this October, where we will explore the theme of "Playing the Edge." Apply to speak here and learn more about sponsorship opportunities here. At the event, we will also announce 25 top game startups as the 2024 Game Changers. Apply or nominate today!
A demonstration by researchers at the Black Hat security conference Thursday revealed that Square‘s mobile payment system, which turns smartphones and tablets into physical point-of-sale credit card processing terminals, can be used for credit card fraud, reports CNET.
The researchers, U.K.-based Aperture Labs directors Adam Laurie and Zac Franken, revealed two different methods for committing credit card fraud using Square. The first method transfers money from a stolen card into a bank account associated with Square without having to swipe it through Square’s card reader accessory.
It’s done using code written by Laurie that allows a person to feed magnetic stripe data from a credit card into a microphone and convert it into a sound file. Using a stereo cable, the audio file is played through the Square device, which transmits the credit card data directly into Square’s application.
The hack means that thieves can obtain credit card data and make transactions without having to clone the card, use a PIN number or go to a physical location.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
The second method uses the Square card reader dongle to clone credit cards by grabbing the magnetic strip data and converting it into audio. Then, using the same code written by Aperture’s Laurie, the audio is translated into credit card information. This is possible because Square’s card reader dongle doesn’t use encryption or authentication.
“The (Square) dongle is a skimmer. It turns any iPhone into a skimmer. Now you need less technical hardware to (commit credit card fraud) and no technical skills at all,” Laurie said during a press conference where he and Franken demonstrated the hack using Visa gift cards. “This lowers the bar” for credit card fraud, he added.
Square could not immediately be reached for comment about the potential credit card fraud risks associated with its card reader dongle.
Update: A Square spokesperson responded with the following statement:
This was not a vulnerability, but rather a simulated attempt to commit fraud. Like all credit card processors, we aggressively guard against fraud (such as the use of stolen credit cards)–and we use traffic analysis and other patented methods to detect and prevent malicious activity.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.