Two researchers attending the Black Hat security conference yesterday in Las Vegas have demonstrated a simple hacking technique that could allow unscrupulous individuals to purchase items using the mobile payment system Square and stolen credit card data. With this technique, would-be hackers could use stolen credit card data to withdraw funds without the need to be in possession of the physical credit card.
This hacking technique is made possible by the way in which Square works. Square is a mobile payment system that exists as a physical smartphone attachment or dongle and an Android or iOS mobile app. Users pay for goods by swiping their credit card through the Square dongle. The dongle creates a simple audio file containing the user’s credit card data that is then sent to the Square mobile app, processed and authorised by the appropriate credit card issuer. As it stands however, the audio files’ origins are not verified by the app so don’t necessarily have to be generated by the official dongle.
The two researchers, Adam Laurie and Zac Franken, created a simple program themselves that reads magnetic strip data from credit cards which is then converted to an audio file. This audio file can then be played into the Square dongle and the data is sent directly to the Square app for processing. The app does not distinguish between a proper credit card swipe and an audio file played into the device.
In this regard, stolen credit cards data could be stored efficiently in audio files and sold to dubious buyers. The Square app is due to be updated in the near future and will likely patch this vulnerability. Or instead, Square may issue new dongles that encrypt audio file data.