Friday, August 5, 2011

Visa backed Square Easily Hacked by Black Hat Researchers


It's Friday, August 5th and it's no longer Hip to be Square...

I wondered why Visa
(which expressed the opposite of interest when approached 18 months earlier by a company with the first 3DES DUKPT encrypted, dongle with a PCI 2.1 certified PIN Entry Device )  invested in Square but chalked it up to Rock Star Mentality (Jack Dorsey) vs. Rocket Science. (doing their homework)  I was equally puzzled when Kleiner Perkins invested 100 million into technology that is essentially nothing less than a skimmer.

Yesterday,  at the Black Hat Security conference, two researchers proved what many (but apparently neither Visa nor Kleiner Perkins) already knew.  The technology used by Square does two things very well:

1.  It enables Square as skimmer for cloning cards...and
2.  Enables the bad guys to easily and more readily use stolen card data for transactions without having to clone cards.  (translation: Square makes the bad guys job even easier!)  Kudos to Visa for their intensive due diligence and investing in an outfit that is suitable only for an emperor who wears no clothes.

I realize that Square will "eventually" add encryption, but why the *!#$ is it doing $4 million per day on the market in it's current form?   Can't wait to see how the JDL (Jack Dorsey Lovers) i.e.the media spin this major flaw into "brilliant disruptive technology"  

CNET:  LAS VEGAS--Researchers at the Black Hat security conference today revealed two ways the Square payment system, which turns any iPhoneiPad or Android into a point-of-sale credit card processor, could be used for fraud. Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that they can transfer money from a stolen card into their bank account associated with Square without having to swipe a card through the Square dongle card reader. To do this, they used code written by Laurie that lets them feed magnetic stripe data from a stolen card into a microphone and convert it into a sound file. They then played that file--a series of beeps--into the Square device via a stereo cable which transmitted the data directly into the Square app. That effectively turns a merchant system that is designed to only accept physical cards for transactions into one that can be used for electronic-only transactions, enabling fraudsters to easily use stolen card data for transactions without having to create cloned cards and go to a store to make purchases or know PINs.

Read more: http://news.cnet.com/8301-27080_3-20088441-245/researchers-find-avenues-for-fraud-in-square/#ixzz1UAJLMX5v



Mobile payment system Square can be hacked, claims researchers


Two researchers attending the Black Hat security conference yesterday in Las Vegas have demonstrated a simple hacking technique that could allow unscrupulous individuals to purchase items using the mobile payment system Square and stolencredit card data. With this technique, would-be hackers could use stolen credit carddata to withdraw funds without the need to be in possession of the physical credit card.
Read More:  http://sociable.co/2011/08/05/mobile-payment-system-square-can-be-hacked-claims-researchers/


News for Square hacked at blackhat

CNET

  • Black HatSquare Credit-Card Reader Hacked!
    PC Magazine - 13 hours ago
    The researchers notified Square in February; Square responded that they see no significant threat. This hack also allowed them to effectively pull cash from ...
    23 related articles
  • Disqus for ePayment News