Security researchers presenting at the Black Hat Conference in Las Vegas this week have revealed a method for accessing the Square payment processing service without the hardware device, opening up the spectre of unauthorised payments.
Adam Laurie and Zac Franken, of research firm Aperture Labs - no relation to, although likely inspired by, the shady Aperture Science from hit puzzle game Portal - took to the stage at the conference yesterday to demonstrate a method for emulating a Square reader without the usual hardware.
Square, for those unfamiliar with the company, is a payment processing firm with a difference: the company produces a small hardware dongle which plugs into the headphone socket of an iOS or Android device and which allows the owner to swipe the magnetic stripe of a credit card and take payments.
The system has several advantages over a traditional payment processing service: while per-transaction fees are somewhat steep, there's no monthly cost attached, and the use of a free dongle to integrate payment processing into an existing device means there's no up-front cost to buy a payment terminal.
The company's approach has proven popular, with the small dongles becoming a frequent sight in smaller retailers across the US. While an international launch has long been on the cards, the publicity generated by Laurie and Franken's demonstration may dampen other nations' enthusiasm a trifle.
Laurie has form for magnetic stripe hacks: back in 2006 he demonstrated an application at the DEFCON conference which could be used to read and modify magnetic stripe cards used in hotels as keys by connecting a magnetic reader to a computer's sound card. A quick modification to that existing application soon allowed Laurie to emulate the Square dongle.
According to Threatpost's Paul Roberts, who was present during the pair's demonstration, the modified program was able to read the details from a credit card and successfully deduct $2 using the Square application live on stage.
Laurie and Franken warn that criminals could use the technique to transform purchased or stolen credit card details into the audio format expected by the Square application, deducting money from each and depositing it an account of their choice in a way far easier than has been traditionally possible.
It's worth pointing out, however, that to do so the criminals would need a valid Square merchant account, which requires users to validate their identity and confirm their address. As a result, anyone using Square's system for ill would rapidly find themselves visited by the police.
The pair still believe that their demonstration proves a worrying level of insecurity, not with Square but with the use of magnetic stripe readers for payments in the first place. While much of Europe has moved to Chip and PIN, the US remains a largely mag-stripe nation, and that's what Laurie and Franken's demonstration is truly warning against.
Thus far, Square has not responded to our request for comment on the Black Hat demonstration.