Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

iPad Credit Card Reader Hacked As Skimmer

The Square reader for iPhone and iPad converts credit card numbers into plain audio, enabling criminals to convert stolen cards into cash.

Black Hat
11 iPad Apps For Better Collaboration
Slideshow: 11 iPad Apps For Better Collaboration
(click image for larger view and for slideshow)
Security researchers have used the Square dongle to transform an iPad into a credit card skimmer.

For the uninitiated, Square turns iPads, iPhones, or iPod Touches into mobile payment hubs via a small, plastic dongle which enables credit cards to be swiped, and which plugs into the device's headphone jack. In conjunction with a free iOS Square application, the dongle enables people to accept in-person credit card payments. Square takes a 2.75% commission.

According to the Square website: "Accept credit cards on your iPhone, iPad, or iPod Touch with no contract, monthly fees, or merchant account required. Every user receives a free Square credit card reader in the mail. Within minutes of downloading the app, you're ready to take payments." In March, CEO Jack Dorsey, who co-founded not only Square but also Twitter, said that Square was processing about $1 million per day, meaning the company could see revenue of $10 million per year.

But speaking on Thursday at Black Hat, a UBM TechWeb event in Las Vegas, security researchers from Aperture Labs in England demonstrated a hack that criminals could use to convert skimmed cards into cash, via Square. "We were sitting in an airport lounge and we said, I wonder if we can fire up this application and then just feed in arbitrary data?" said Adam Laurie (aka Major Malfunction), a director at Aperture Labs.

In turns out that Square's dongle converts credit card magstripe data into audio, which the iOS application then listens to and translates back into credit card numbers. "It's a hack--a clever hack," said Laurie, about Square's approach. But he said it bespeaks a product that was rushed to market without necessarily considering the security repercussions, since converting Square into a platform able to read stolen credit card data took him all of 15 minutes, "and 10 of that was buying a cable from Brookstone."

The hack, demonstrated at Black Hat on an iPad, works by plugging one end of a 3.5mm audio cable into the iPad, and the other into the audio output port of a laptop, running software Laurie wrote five years ago, called Makstripe. The software, which can be used with a card skimmer to capture swiped cards' magstripe data, can also be used to play card data as audio. Accordingly, someone can input an arbitrary card number into Makstripe, and then play the number back into Square, to then charge that credit card for any amount.

Instead of needing to manually capture credit card numbers using a skimmer, a criminal could also purchase credit card data on the black market for as little as $2 per card, or less when purchased in bulk. "You just start injecting these credit card numbers into the [Square] application, and making charges to it. Then you clear out the account on a daily basis, and when you get rumbled, you move on," said Laurie. "You'd have to set up dodgy accounts that couldn't be traced back to you, but ... that's established practice" for criminals, he said.

In the spirit of responsible disclosure, Laurie said that he notified Square about the hack in February. "Their response was, we don't see this as a significant threat, and we'd catch those threats through traffic analysis," he said.

Square wasn't immediately available for a request for comment, and an attendee from the company at Black Hat said he wasn't authorized to speak to the media.

What could Square have done differently to block criminals from potentially using their dongle and software as a credit card skimming platform? "I would have done crypto, from day one," said Laurie. Likewise, Zac Franken, a director at Aperture Labs, said that "the reader shouldn't be outputting audio, it should be outputting encrypted audio." That way, hackers couldn't play audio versions of magstripes into the Square software.

Under pressure from Visa, now a strategic investor in Square, the company's latest dongle (now black, as opposed to earlier versions, which are white)--reportedly encrypts credit card data. But Laurie said that at least for the moment, the Square app still accepts plaintext data.

But encryption isn't the only recommended fix for Square. Going forward, said Laurie, "they need to implement the protections you'd have in a full POS [point-of-sale] terminal, there needs to be a full handshake, probably PKI."

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.