Hackers have shown how to turn mobile payment service Square into a convenient tool that allows criminals to pump cash from stolen credit card numbers.
Adam Laurie and Zac Franken of computer security firm Aperture Labs used home made software and an easily bought iPad audio wire to trick Square in a way that could be a bonanza for crooks. Laurie could type credit card numbers into his laptop, which converts to sound data sent to Square, where the transaction registers as if a real card were swiped in a dongle.
“Traditionally, the way you make money from stolen credit cards is sell the data to someone else or buy goods on it, then resell the goods and get the cash,” Laurie said while demonstrating the hack at a Black Hat computer security gathering in Las Vegas.
“This really takes the hassle out of it… I can put the money right in the account and it only costs me 2.75 percent.”
The percentage he cites is the fee charged by Square, which was co-founded by Jack Dorsey, a Silicon Valley star who helped create popular micro-blogging service Twitter.
Square markets a pocket-sized credit card reader that can be plugged into a smartphone to allow anyone to accept credit or debit card payments on the spot. Franken and Laurie, whose hacker name is “Major Malfunction” said that they were waiting for a flight at an airport when they figured out how to convert Square into a handy tool for cashing in on stolen credit cards.
Laurie realised that the Square “dongle” used to swipe credit cards plugged into an iPad audio jack, indicating that the small device essentially converted magnetic stripe data to sound which is then interpreted by the service’s software. He quickly modified software he wrote five years earlier for reading and replicating magnetic stripe data.
Franken and Laurie strolled to an airport shop and bought a wire to plug Laurie’s laptop into the iPad jack where the dongle would have gone.
“Credit card data is getting skimmed all the time,” Laurie said, holding up a pre-paid credit card he used for the demonstration. “Instead of buying this I could have bought it on the Internet from a criminal gang.”
Funds are dumped into an individual’s Square account to be removed before anyone catches on, according to the hackers.
“You’d have to setup dodgy accounts that don’t trace back to you,” Laurie said. “But, that is standard practice.”
Laurie and Franken said that they shared their findings with Square in February, only to be told that it wasn’t seen as a threat and that traffic analysis would expose those kinds of transactions.
The hackers had also heard unconfirmed reports that Square planned to release new dongles that encrypt transaction data. “Encryption would be a good thing,” Franken said.
“The way it is at the moment with only a cable between two devices you can inject credit card numbers right into the system,” he continued.
Since Square promises to have money from transactions in accounts within a day, money milked from stolen credit card data could be made off with quickly, provided amounts were not extreme enough to be noticed, Franken said.–AFP