Easily exploitable Square card reader vulnerabilities

I’ve written some about Square and their mobile card reader before.  Click here to read my most recent article on them, part of my alternative payment systems series.

The problem is, Square’s dongle has been hacked.  And hacking it is pretty embarrassingly simple to do, it seems.

The gist is this:  Square’s dongle plugs into the audio port on supported devices such as iPhone, Android phones, etc.  Cards are swiped through the reader dongle by merchants.  The reader then turns the credit card swipe data into audio files that are transmitted through the Square system and turned into transaction requests for card issuers.

But the Square app accepting the dongle’s audio files cannot tell the difference between dongle input and properly recorded audio files from another source.  As reported by Mashable, researchers at Aperture Labs proved someone can hack the Square system with just a little bit of code and a cheap stereo cable:

In order to bypass the need to swipe a card, (the researchers) wrote a simple program — in fewer than 100 lines of code — that enables (them) to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that file is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.

If Square had just digitized and encrypted the data on-dongle before passing it to the on-phone app, this hack wouldn’t work.  Security 101 stuff, really.

Click here to read the complete post on the PayPal X Developer Network including information on a second Square exploit.