Square credit card reader can be hacked into card skimmer

As a credit card payment-related device, the Square Reader accessory for iOS has maintained a decent track record in not falling victim to malicious hacks. Unfortunately, that might be about to change. A group of security researchers have revealed how they were able to hack the Reader, which is used to turn iPads and iPhones into mobile point of sale terminals for merchants, making it capable of stealing credit card information from customers.

The researchers' hack involves disabling the Square Reader's encryption system through a physical modification, however the device remains the same in appearance. Once complete, the Reader can record the data from a credit card swipe made during a valid sale. This copy of the data is not transmitted to Square's servers, and can be used later in a second charge for a fraudulent transaction.

Square has responded to the research, noting that its official app will not continue to work with a tampered reader. Also, even with the stored credit card data, a second, fake swipe can only be made once, as transmitting that data makes it disappear without retrieval.

The card reader company notes that delayed, out-of-order swipes are flagged as potential fraud in their system, so there's little chance this could become a widespread problem. However, the researchers noted that an app that mimics the appearance of Square's could be used, tricking users into swiping their cards, and in turn still letting the reader store a copy of the data.

While its disappointing that Square has disregarded the research as not being a threat to security, it's still unlikely to encounter a tampered Reader in the wild. The physical modification is not easy to perform, and as long as the official Square app is being used during a transaction, there's little chance fraud could take place.

Update: A Square spokesperson gave SlashGear the following statement (emphasis theirs):

"Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers. Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square."

SOURCE Motherboard, HackerOne