On Square Skimmer Security Risks

There’s an “open letter” going around about the alleged security hole created by SquareUp, a startup that gives out free credit card readers for smart phones. To quote the meat of it:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

Allow me to debunk the hell out of this:

  • To skim a card you need physical possession of the card. The numbers are printed on the front. No reader needed.
  • Skimming is normally done by attaching a device in front of a legitimate reader (such as an ATM) so it passively collects data. Not via cell phone. Stealing a credit card, walking to a back ally and skimming doesn’t make any sense.
  • Credit cards numbers are worth almost nothing on the black market. They are sold in bulk. This process is to slow to be viable for even the most brain-dead of criminals to want to bother with.
  • There are easier methods than the above including phishing attacks, becoming a waiter (the best job for credit card thieves), or just hacking one of the many insecure ecommerce sites on the net. An ATM skimmer attached to an ATM is much more profitable and harder to get caught since you can leave and come back later.
  • Square’s dongle doesn’t encrypt data because it goes directly to the phone. You’d need to extensively modify the device to intercept anything. The connection from your phone to Square seems to be encrypted.
  • Oh yea… They have their logo on top, but never link to their homepage or explain who they are. VeriFone is a vendor of credit card scanners. A direct competitor of Square. They also sell wireless scanners that would compete directly with Square. They cost a lot.

How’d I do?

Bonus:

VeriFone sells “contactless” point of sale systems. I’ve mentioned several times over the past few years how poorly thought out these seem to be. WREG recently did a great story on how easy it is to scan/clone one of these cards to a hotel key (full disclosure: WREG is an affiliate of my employer).

Conclusion:

If someone steals your credit card swiping it on their own scanner, reads the numbers off, or just running to the nearest store and buying things, it doesn’t make a difference. Square isn’t the security hole here.

I’ve got a square reader on hand and can say it’s cheaply made (obviously), but no reason at all to think it’s any less secure than any other terminal. The owner/operator of the terminal is the chief point of failure.

Mythbusters on RFID

I’ve mentioned several times on this blog that RFID isn’t a good idea for sensitive things like credit card information. Pretty much anything you wouldn’t openly make available to strangers.

The latest piece of evidence is Adam Savage, of Discovery’s Mythbusters discussing how they were effectively outgunned by lawyers for credit card companies (with video goodness) when wanting to do a show about RFID.

My personal experience is that they will swap out your RFID card with a non-RFID upon request. Until this stuff is much more proven, I don’t want it. Some make the argument that you’re not liable for more than $50, but it’s your job to convince credit agencies to update your credit history and dealing with creditors re-evaluating your changed credit history for a really long time. Considering the current credit crunch and the knee-jerk reactions that are so common right now, that’s just a recipe for disaster. Who wants to go through that for the novelty of not needing to physically swipe the card? No thanks.

MTA’s Fail Whale

Apparently the Fail Whale in tech is a disease lately. The latest obvious occurrence has been New York’s MTA with their MetroCard vending machines. I noticed on Monday walking into the station, the lines in front of the vending machines were insanely long (normally 2 people max, now 15+) and presumed just a large group of tourists. Then saw it when I got off at my stop (hmm… two stations overloaded with customers? Strange). This morning it was less but still crowded (I guess some people gave up), and learned the problem myself. Apparently they can’t process credit cards lately.

Many New Yorkers purchase an $81 30-Day Unlimited Ride MetroCard,a s opposed to putting a fixed amount on a card. I suspect many do not carry $81 cash on them because we are a society that uses credit cards for convenience. So those people just pulled a couple dollars out of their wallet and bought a regular fare card with the intent to come back later. At $2.00 a fare this could provide a nice bump for the MTA, who I might add is cash strapped and looking to raise the fees after just cutting the bonuses from 20-15%.

Now regarding that bonus cut, that creates a whole new can of worms. For those who don’t know: if you purchase more than $7, you get a bonus. 20% always leaves a nice even number. 15% on the other hand leaves you with spare change. Leaving room for things like the MetroCard Bonus Calculator. What a mess. You could always put a few dollars on the card to clean it up, but then you loose the 15% bonus on that money. Over time that adds up. I’m sure many people just throw away the cards with change on it, but I find that somewhat silly.

Twitter seemed to survive the Chino Hills earthquake, so the MTA wins the Fail Whale award for today.

How To Hack A RFID Card

Boing Boing TV has a great video on how to hack a RFID credit card for a mere $8. I’ve said it more than once that I don’t trust it yet. This is why. You just removed the best security feature on the card (the ability to keep it and it’s information out of view).

As a commenter noted, the Nokia 6131 NFC includes the following from their tech specs:

  • Explore mobile weather and news by touching your phone to radio frequency identification (RFID) tags

That’s right, a built in RFID reader. Just needs software for this particular task. I’m sure that won’t take too long.

How To Steal A Credit Card

I said a while back RFID credit cards still have to prove themselves. Today I saw this interesting story on CNet:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible.

You can find a ton of information including code and the hardware necessary to duplicate this his website RFIDIOt.

Another real potential issue is companies using RFID for security badges. Considering how easy it is to read and duplicate, potentially anyone who can get close to someone walking into an office can capture the data necessary to produce their own ID card. In this case only matching the photo stored by the company on their computer system (not the one on the badge) to the person’s face is security. So for those offices who don’t have security staff doing this, anyone could theoretically get in.

The best security mechanisms are the most simple and discrete. Credit cards are naturally pretty secure if used correctly. Nobody can abuse a credit card unless they know the number. Nobody can read it through a wallet. The wallet in this case is a great security feature. To read it you need to either visually inspect it for the numbers, copy it, get an impression of it, or swipe it through a reader. All things that require intimate contact with the actual card. Impressive security for some old technology isn’t it?

I’ll stick with swiping a credit card for the foreseeable future. Your only not liable for a stolen credit card if you and your credit card company mutually agree it’s stolen or being misused. Otherwise you may be on your way to an expensive dispute. Regardless it may have hit your credit, and you’ll spend a lot of time sorting it out and getting it corrected. Bad credit costs you money. Some individuals make it sound like it’s just a phone call and your done, but people who have had their credit card stolen sometimes spend several months fighting to save their credit.

Bank Security Sucks

Why is it, I can get a security key fob from PayPal for a mere $5, but not from my credit card company or bank? PassMark seems to be the latest craze of banks in an attempt to look more secure. It doesn’t work. Online security still seriously sucks. 96.66% fell for phishing according to Harvard and MIT just a few months ago. Interestingly both of those links reference the same bank (Bank of America), though they aren’t the only ones.

And I’m supposed to believe RFID enabled credit cards aren’t trouble? I think not. I’ll wait until the technology has been proven a bit more. Swiping the card really isn’t that hard. I find it to be a good workout. For the security of knowing my wallet is a good security device, I don’t mind the inconvenience. When they can prove it’s secure I’ll switch. I doubt that will be for a while.

I wonder how long until financial institutions start taking security to the next level. I’m confident they will be pushed to do so at some point. I’m just wondering what the catalyst for change will be. I’m guessing some more alarming statistics. I really want to see hardware based two-factor authentication the defacto standard in all banking systems. If PayPal can do it for $5 per user, I think the rest can manage to offer it. It’s not perfect, it doesn’t cover every type of attack, but it’s the single best enhancement over a good password. You do have a good password right?

[Hat Tip: The Consumerist]

Getting A Non-RFID Credit Card

Chase Freedom VisaThe Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards VisaChase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.