With a screwdriver, some superglue, and roughly 10 minutes, just about anyone can turn the popular Square Reader into a skimming device that steals customer's credit card information, according to a group of researchers.
Ever since its debut in 2009, Square's mobile credit card processing device has become extremely popular by offering a cheap and easy-to-use alternative to traditional point of sale systems. Square's readers have become a common sight at small mom-and-pop businesses or for retailers that can't afford or don't want to buy a traditional point of sale system to accept credit card payments.
But new research conducted over the last year by three recently graduated students at Boston University could serve as a cautionary tale for consumers as well as companies selling mobile point of sale systems such as the Square Reader.
These systems pose uncharted security challenges, according to the researchers, because in order to achieve their low cost and size, manufacturers have to make compromises, including using lower quality components and relying on direct interactions with smartphones by design, which potentially allows merchants to use other apps when swiping the credit card.
"That could potentially be a recipe for disaster," John Moore, one of the three security researchers, told Motherboard in a phone interview.
This is an "a quick, easy, and cheap way to make a credit card skimmer."
Moore, along with fellow researchers and former classmates Alexandrea Mellen and Artem Losev, studied Square Readers over the last year and found a series of potential attacks that a malicious merchant could use to scam his or her customers.
The most concerning of their findings is the fact that it's possible to turn a current, latest generation Square Reader into a device that steals customers credit card information. The three researchers found a way to physically tamper with the device and disable the encryption that normally protects the credit card data being transmitted to the smartphone. (The researchers will show exactly how they did during a talk on Wednesday at the Black Hat security conference in Las Vegas.)
Once you know what you're doing, this is an "a quick, easy, and cheap way to make a credit card skimmer," Mellen said, adding that the tampered, unencrypted, device "will still look exactly like the Square Reader."
Square counters that the tampered device won't work with the Square app. But Mellen noted that it can be also used as a generic skimmer.
Moreover, the researchers also found that even with a regular, non-altered, encrypted reader, a malicious merchant can log the credit card swipes on his or her smartphone and play them back later to make fraudulent transactions. Mellen, Moore and Losev said they have devised a method to easily record the signal created by the credit card when its magnetic strip gets swiped through the Square Reader, and later play it back through the Square app to charge the card again.
The researchers created a custom app that makes this trivial to do, but they told me that it's possible to do even without the app. (Moore and Mellen told me they still haven't decided whether they will release their app.)
"I can take that signal and convert it using a decoder freely available online, and then I have your credit card information," Mellen told Motherboard.
Their custom app, which they called "Swordphish," essentially automates that process, taking the recorded signal, storing it away, and decoding it into credit card information, the researchers said.
"I can take that signal and convert it using a decoder freely available online, and then I have your credit card information."
A malicious merchant could use their method to scam customers by first swiping their credit cards to record the signal. (In 2013, another researcher showed how much data it's possible to see from a credit card swipe through a Square Reader.) At that point, the merchant could just pretend the first swipe didn't go through and swipe it again using the Square app. To the customers, everything went as planned, but if the merchant is using the altered Square Reader, he or she now has the name and number of the credit card.
But even without the tampered reader, the merchant can still use the recorded encrypted audio signal to make other payments in the future through Square, according to the researchers.
Regarding the software vulnerability that theoretically allows malicious merchants to playback recorded swipes, Square admitted that it's possible, but dismissed this as an actual bug in their response to the researchers.
"We do not see it as a security risk," a Square employee wrote in the bug report, published on the bug bounty service HackerOne, which Square uses to interact and reward independent security researchers. "In particular, it is not possible to process a stored swipe more than once."
Moreover, the company claims that they are tracking delayed, out-of-order swipes as a sign of potential fraud, "so we'd probably notice if you started throwing too many of these into our system," a Square employee told Moore in December of last year.
"We do not see it as a security risk."
The researchers said that they also found this type of scam was possible with the older models of Square Reader, which did not include encryption. Until May, according to an archived version of its site, Square claimed that "all previous readers continue to be secure," (the page containing that claim appears to have since been removed).
By reporting this issue to Square in December, the researchers prompted the company to recently stopped supporting its older readers. A Square spokesperson said that as of July 22, the old unencrypted readers "no longer work," and thanked the researchers, who "encouraged us to speed up our deprecation plans." (The company also paid them $500 for reporting this issue.)
When it came to tampering with the Square Reader and turning it into a credit card skimmer, the company claimed that's not an issue, because if somebody breaks the device the way the researchers did, it will stop working with the Square app.
This response was "very frustrating" to the researchers, according to Mellen, because when they reported their method of altering the Square Reader to the company, Square dismissed it.
In fact even if the tampered reader won't work with the Square app anymore, it can still be used to scam customers. For example, a seller could just pretend the swipe worked and let the customer go, or pretend it didn't go through and ask the customer to swipe again using a backup Square Reader, Mellen told me in an email.
In any case, the three researchers want customers to be aware of potential risks and not blindly trust these technologies.
"Just because now we are able to process credit cards using our smartphones, it doesn't mean that everything it's just as secure as it has been in the past," Moore said. "And it doesn't mean that the technology has gotten to a point where they don't need to worry about their personal information or stop watching their accounts for fraudulent charges."
This story has been updated to add Mellen's comments on how a malicious merchant can still scam customers using an altered Square Reader.