Categories
Software

On Square Skimmer Security Risks

There’s an “open letter” going around about the alleged security hole created by SquareUp, a startup that gives out free credit card readers for smart phones. To quote the meat of it:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

Allow me to debunk the hell out of this:

  • To skim a card you need physical possession of the card. The numbers are printed on the front. No reader needed.
  • Skimming is normally done by attaching a device in front of a legitimate reader (such as an ATM) so it passively collects data. Not via cell phone. Stealing a credit card, walking to a back ally and skimming doesn’t make any sense.
  • Credit cards numbers are worth almost nothing on the black market. They are sold in bulk. This process is to slow to be viable for even the most brain-dead of criminals to want to bother with.
  • There are easier methods than the above including phishing attacks, becoming a waiter (the best job for credit card thieves), or just hacking one of the many insecure ecommerce sites on the net. An ATM skimmer attached to an ATM is much more profitable and harder to get caught since you can leave and come back later.
  • Square’s dongle doesn’t encrypt data because it goes directly to the phone. You’d need to extensively modify the device to intercept anything. The connection from your phone to Square seems to be encrypted.
  • Oh yea… They have their logo on top, but never link to their homepage or explain who they are. VeriFone is a vendor of credit card scanners. A direct competitor of Square. They also sell wireless scanners that would compete directly with Square. They cost a lot.

How’d I do?

Bonus:

VeriFone sells “contactless” point of sale systems. I’ve mentioned several times over the past few years how poorly thought out these seem to be. WREG recently did a great story on how easy it is to scan/clone one of these cards to a hotel key (full disclosure: WREG is an affiliate of my employer).

Conclusion:

If someone steals your credit card swiping it on their own scanner, reads the numbers off, or just running to the nearest store and buying things, it doesn’t make a difference. Square isn’t the security hole here.

I’ve got a square reader on hand and can say it’s cheaply made (obviously), but no reason at all to think it’s any less secure than any other terminal. The owner/operator of the terminal is the chief point of failure.

11 replies on “On Square Skimmer Security Risks”

I agree Verifone may have been very irresponsible in their handling of this: 1) there is no indication if they attempted to notify Square of the vulnerability and give them some time to fix it before disclosing it, and 2) they should have been more transparent and disclosed that Square is a competitor.

The connection from the reader to the iphone is not encrypted, this is the root of the issue. Otherwise, a criminal could not use the reader to capture data (despite having physical access to the card). I will think twice about handing my CC over to someone to use with a Square reader.

It does make sense that a card reader should encrypt data prior to sending data to the Square application, especially when there is no guarantee that the card reader is sending the data to a Square application.

I’m still reviewing PCI Security requirements for card readers and magnetic stripe readers (MSRs). PCI focuses on PIN entry devices.

@Brian: That’s not really a security issue. Encryption can’t happen before the reader, it’s technically impossible (you must have data before you encrypt it). A device that intercepts between the square reader and the phone is not a security risk since it would be obvious and intentional to the operator. If the operator ignores it, then it was an intentional hack by the operator, who also has physical access to the card.

You could also attach a skimmer to a Verifone device and skim cards that way.

AFAIK PCI security requirements want encrypted storage and transmission.

You’re missing the point, I have a brand name mobile terminal and the card reader heads have aes-256 encryption in the head before any wires, which is then sent encrypted to the card processor. No matter how much anyone wants to look at the bitstream they can’t because the decrypted data just isn’t in the terminal at any time; the only possible way would be to disassemble the head, which is designed to be tamper proof/self destructing, you can’t change the head because then the rest of the unit would not be compatible with the non aes data. Also, square uses the mic in plug with this raw card data, I just used voice notes and looked at it in my card bitstream analyzer on my computer, works just fine. You can do this with a square reader and any device that records audio at a fairly high fidelity, overall it’s just a terrible design.

@Robert: If a thief had access to the device, they could put an additional head, or even gut the electronics entirely. That’s how ATM skimmers work. It’s just an additional head. They don’t intercept data off the internal head. They just attach a small device to the front.

The vulnerability still exists. If a thief has access to the card or the reader, they have access to the data. That doesn’t change. You can attach a skimmer to a mobile credit card terminal. From what I’ve read, it’s been done before by criminals.

But there’s a difference in gutting and custom fitting a mobile terminal and starting up “voice notes” before the card is swiped…

This all misses a key point! Visa and Mastercard insist that all point of sale card reading devices conform to PCI standards for security. The industry (and retailers) have spent very large sums of money to be compliant. The Square device is a POS card reader, but it makes no attempt to be PCI compliant — indeed, to incorporate any security. This gives Square a competitive advantage. If Square had to ship encrypting readers, which the rest of the industry does, they could not continue with their free-reader policy and their current market approach. It is doubly saddening that Square continues to ship non PCI compliant readers despite the fact that Visa has become a large share-holder of Square. There is something terribly unfair about how Visa enforces rules on others while letting Square “get away with murder”. George Wallner

Let us say you are a bartender. you have an audio recording app on your company provided iPhone that you are supposed to open bar tabs with using square. you run the card the first time using any audio recording app. You easily then switch to the square app where you it a second time.

Now yes you could memorize 16 digits (most good wait persons can) but this does make it darn easy to skim alot of cards. Any security can be broken but it is best if they have to use a supercomputer to do one card every 48 hours.

Just sayin.

@Phil: a credit card skimmer is hardly difficult to come by or obscure. They are a problem for stores for years. How is there a difference? Waiters have been skimming for ages using pocket devices.

Phil, you’re missing the point. If the operator of the mobile terminal is malicious, the transaction is already compromised no matter what. As noted, a skimmer could be attached to any encrypting device just as easily so there is no practical security gain.

Let’s return to your bartender example. Scenario 1, I’m using Square to read legitimate transactions but first recording the audio in to some other application for malicious use:

1. Load Square app, enter data.
2. Switch to recorder, press record, swipe card.
3. Switch back to Square, swipe card again.

Scenario 2, I’m using anything (could be Square, could be Verisign, doesn’t matter) and have a discreet skimmer installed in/on my reader head.

1. Load up mobile terminal app, enter data.
2. Swipe card.

The first approach is more time consuming and leaves me open to being noticed by the customer pushing buttons and switching applications while I’m swiping their card. It also leaves me to decode all the audio files rather than just dumping the memory of a skimmer.

The PCI argument is legitimate, these devices are clearly violating PCI and I won’t argue it for a second, but to claim that there is an actual practical security difference given a malicious operator is absurd.

PCI is about making money. Ensuring security is second at best. Make no mistake of it. Being complaint doesn’t mean you’re secure. Not being compliant doesn’t mean you’re insecure.

Leave a Reply to Brian Cancel reply

Your email address will not be published. Required fields are marked *