Walked into a store lately and see one of those strange square blocks sitting in the microphone area of an iPad or iPod? It’s the Square Credit Card Reader and combine it with the the Square App in the Apple App Store, it allows anyone in the United States to accept credit cards transactions. How the Square Reader works is take the MagStripe data and converts it into an audio transmission, which is transmitted into the microphone in which the Square App interprets and charges. No worries right? It’s another day in the park… until now.
In an airport terminal, Adam Laurie and Zac Franken, directors of Aperture Labs, got a hold of the Square Reader and combined with a program that converts credit card numbers into an audio transmission (which was released five years ago at DEFCON), and fifteen minutes (ten of those minutes were spent lining up for a special $10.00 microphone cable adapter), the Square Reader and App was compromised.
The proof of concept was simple. A $100.00 gift card, laptop, and several minutes. Adam and Zac swiped the credit card into a credit card skimmer and converted that information into an audio transmission. From there, Adam and Zac linked an iPad and Laptop together with the microphone cable: One end of the cable was connected into the headphone jack of the laptop and the other end was connected into the iPad.
From there, Adam and Zac loaded the Square App on the iPad and played the audio file right off the laptop. The Square App then detected it as if someone swiped a credit card and proceeded to continue with the transaction. In essence, cards in which normally you can not extract money from are now completely accessible. Financial/credit card thieves seeking a way to extract money can simply reproduce Adam and Zac’s method, allowing them to extract huge sums of money in a very short period of time.
In February 2011, Adam and Zac asked Square for a comment, and was told “We don’t see that as a significant threat.”
This proof of concept isn’t entirely a weakness in the Square App and Reader, but rather in the MagStripe technology itself. But some of the blame does fall on Square itself as the current implementation does not check for replayed audio of credit card numbers. Essentially, the barriers for credit card skimming has become a lot lower, allowing any Apple iOS enabled device or Android enabled device to become a skimmer.
As Adam put it, “now you need less technical hardware to do it and no technical skills at all.”
Now are you sure you want to let that waiter take your credit card away?
Leave a Reply