The Square Reader has helped lower the barrier to entry for many small retailers keen to take payments on card. Now, though, new research reveals that it’s possible to turn one of the readers into a skimmer.


Security researchers have discovered that it’s possible to disable the encryption systems on the device to garner card details. “During a valid sale, a malicious merchant or third party can record several extra encrypted swipes of a credit card,” explain the researchers. “Provided the data from extra swipes is not sent to Square’s servers, they can then play these recordings back into the Square Register app at a much later time, even out of order, in order to initiate and complete fraudulent transactions at a later date.”

Update: Alexandrea Mellen, one of the researchers, got in touch to point out that the research actually describes two separate attacks. She explains:


1. We can turn a new Square Reader into a credit card skimmer in under 10 minutes - and it will still physically look exactly like a Square Reader. The attack allows malicious merchants to gather and subsequently sell user credit card information. This attack does not store swipes, but does store the victims credit card information.

2. We have identified a method where, for every unique swipe of a customer’s credit card, a merchant is able to conduct a new transaction at a later point in time, even long after the customer has left and unbeknownst to him or her. Square has the information needed to fully prevent such attacks as they’re attempted, but due to complexity has opted not to do so. This attack stores swipes for later use.

Update 8/4 2:10 PM: Comment from Square:

This story is about issues with magnetic-stripe credit cards, not Square. In 2015, it should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable. That is why major credit card companies, lenders, and businesses are now embracing new, more secure, authenticated payment technologies. Square is helping to lead the way with our own card readers for chip cards and contactless payments.

Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers. Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square.

Perhaps the best advice is to always pay attention to the kind of app being used to carry out the transaction, if you can. If the official app is being used, you’re almost certainly in the clear; if the app looks like a piece of third-party software, you shouldn’t hand over your card.


Correction: A previous version of this post suggested that the two attacks described by Alexandrea Mellen were a single attack. They are in fact two independent attacks.

[HackerOne via Motherboard via Engadget]



Image by AP