Please create an account to participate in the Slashdot moderation system


Forgot your password?
Crime Security

At Black Hat: Square Reader To Credit Card Skimmer In 10 Minutes 62

New submitter arit writes with word that three recent Boston University grads have demonstrated at Black Hat software and hardware attacks on the Square Reader used by many mobile vendors to process credit card transactions. One of the attacks converts a standard reader into an efficient credit card skimmer (conference slides) with very little effort. Always keep Scott Adams' object lesson in mind.
This discussion has been archived. No new comments can be posted.

At Black Hat: Square Reader To Credit Card Skimmer In 10 Minutes

Comments Filter:
  • by Anonymous Coward on Thursday August 06, 2015 @10:24AM (#50262641)

    We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.

    • by mjwx ( 966435 )

      We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.

      Why bother with card skimmers any more when contactless cards will tell you everything you need to know to make purchases online wirelessly?

      Card number, check
      Name, check
      Expiry date, check

      Everything you need to sell that shit on the black market delivered wirelessly... And no one questions why someone is walking around with a high visibility jacket, clipboard and strange antenna in a crowded shopping mall.

  • by Lumpy ( 12016 ) on Thursday August 06, 2015 @10:25AM (#50262647) Homepage

    The square reader to skimmer trick has been around for YEARS. Cripes all you had to do was record the audio and send the audio files to your skimmer.

    Pretty sad that Black Hat has turned into a n00b conference. Was there also a talk on how you can use keyloggers?

    • Gen 1 was always unencrypted. They didn't hack the gen2 or gen3 hardware to unencrypt it.

      I can't tell from the slides whether they used a gen1, gen2, or gen3 reader to do their playback attack.

      Even before Square, you could buy card readers on eBay. This doesn't really bring anything to the table.

      • by Lumpy ( 12016 )

        Gen 2 and 3 were still cracked. you still did the same trick you plug it in and use a audio record app. send that audio to your guy that pays you $10.00 for each audio file and use PC software to decrypt.

        Even the Paypal one was cracked a long time ago.

        • If you look at the slides they actually subverted the chip and we're able to get the raw data from the reader with no encryption... No need to send the data to the 3rd party.
      • Show me malware running on a device used by an honest, unaware vendor, and have it send the data to a nefarious third party, and now we're talking.
        • So the modified firmwade of a device plugged into headphone jack lets it somehow TRANSMIT to 'nefarious third party'? please tell me more

          this isnt the first _how the F did they get past the retard filter_ talk at blackhat

          • The article is about turning a reader into a skimmer, which we all seem to agree is dumb seeing as a skimmer is a reader. These particular readers are typically plugged into a tablet or other handheld device so people can sell stuff to other people via credit/debit card. I'm saying, make it about malware running on said vendor's device that transmits the card data to a nefarious third party. That would be more interesting. For good measure, throw in a novel vector to infect device with the malware.
    • 'Black Hat' was compromised a very long time ago, and there also many things they won't expose due to government threats. (What aren't we hearing from them this year?) So, now it's more a nostalgia thing for the phone phreaks and marketing for security companies.

    • by Anonymous Coward

      Submitted a talk on a whim and the review process was... disappointing. They don't bother to read white papers and they'll reject talks for sounding "academic".

      The invited speakers are generally good and there are a few diamonds in the rough, but a depressing amount of the conference is filled with UFO nuts and people showing off their scripts.

  • by gstoddart ( 321705 ) on Thursday August 06, 2015 @10:27AM (#50262659) Homepage

    Did anybody expect us to believe something you plugged into a cell phone speaker jack was actually secure in any sense of the word?

    Here's a good rule of thumb: if it's a piece of consumer electronics, or involves your phone ... it's probably got terrible security.

    The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

    The damned thing is almost guaranteed to be something which can be exploited. Sadly, just like every other piece of consumer electronics which tries to add network connectivity.

    Companies don't care about, don't know about, and aren't accountable for security. Stop trusting that they do.

    • by Yosho ( 135835 )

      The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

      What makes them less trustworthy than any other credit card reader?

      • The addition of a smartphone, the use of a headphone jack, and the intention to make it simple to use for small businesses.

        Which means you should just start out assuming that it has, like every piece of consumer technology these days, absolutely terrible security .. if any at all.

        Every damned week we see yet another piece of consumer tech which has almost zero security. Assuming this is true should be your default position.

        What kind of bubble have you lived in that with a Slashdot id that low you still put

        • I have to back this up. In June, I used a Paypal debit card for a small vendor at a Ren Faire who used one of these, (I rarely ever used this card) and a month later, I got billed $567 at some Japanese hotel. The dispute is ongoing, though I jumped on it immediately, got the card disabled and a credit; still, that money was out of my checking account for a few days. Now, it could've been a dishonest vendor, or an employee, malware on her phone, or something else, I don't know, -even a different transac
        • by Anonymous Coward

          it's not square's fault. that's the model, i give you a credit card number and an amount, and
          you transfer the money.

          the reader just converts the magstripe, which contains the credit card number, the same thing
          printed on the front, into a signal

          i could also just take a picture of the front of your credit card

          dont blame square, blame visa and the banks for having no security

        • by Kidbro ( 80868 )

          I may be wrong, but I don't think GP is asking you why you think the device in question isn't secure. I think GP is asking you why you think other devices are.

        • by Yosho ( 135835 )

          What kind of bubble have you lived in that with a Slashdot id that low you still put any faith in this crap?

          As Kidpro pointed out, you're making an incorrect assumption. I don't think smartphone credit card readers are secure. I think that all of the other types of card readers are insecure, too. There have been many [] cases of them being compromised.

        • by tepples ( 727027 )

          If credit card payment through a smartphone is insecure, what alternative to a credit card would you prefer for a purchase outside a fixed store front? If cash, how much cash should people carry instead?

        • But when the alternative is NOT eating that delicious lobster roll, what is one to do? Like it or not, the consumer security ship seems to have sailed and we need processes on the back end to protect ourselves (like the single-use card numbers generated by ApplePay-esque systems). I applaud you for fighting the good fight, but these security holes feel like a fact of life at this point.
        • welcome to the race-to-the-bottom.

          I'm here in the bay area, which USED TO BE a hotbed of quality and innovation. ha! now its entirely a sweatshop where unskilled foreigners (who will do just what their are told and march to stupid/fast schedules that don't allow for proper design or testing) are the norm. software is a factory job, now. if you question things, you get fired. if you try to fix broken processes, you get fired.

          all that matters is cheap and fast-to-market.

          I have zero faith in software or e

        • by suutar ( 1860506 )

          No, but why do you place any trust in any other card reader? Hardware owned by someone else can be doing anything they want in addition to (or instead of) what it's supposed to be doing.

          Or are we specifically assuming the case where the owner of the square-and-phone is not involved and the unit's been subverted out from under them? That can also happen in other cases, if anyone besides the owner has physical access to the hardware (clerks, for example).

          Which leaves us down to remote attacks by folks with no

        • by guruevi ( 827432 )

          ANY card reader is susceptible to this attack and that has been known since card readers were being produced.

          Look at your grocery store card reader: Serial or USB port. Crack open those all-in-one with an Ethernet port or a phone jack: three wires go to the reader.

          Unless you're doing some type of Kerberos-style authentication (ala Apple iWallet or whatever), your card (even the chipped ones) are pretty much going to donate all your information to the first card reader that comes along. Even EMV cards (the o

    • I, for one, rely heavily on the credit card fraud protection - and that I'm not responsible for theft of services.

      VISA/MC/AMEX might care because they foot the bill. But it ain't my problem.

      I've had my cards reissued twice due to "strange purchases in far away places" - which is a PITA because I must update all of my auto-bill-pays. So I have adopted a ringed mechanism - I have a card that is used only for bill pay - and another for shopping. Hopefully reducing *my* PITA from stolen cards. The one I use

    • Which color Square reader?

      Yes, the really old ones were trivial (white?), unencryped/obscured.

      The black ones changed that, it added 'encryption' to the data before pulling it off the reader. I don't know how technically correct that is but they did make some changes.

      This paper is about the white one, which was a limited distribution unit.

      This paper is several years out of date.

  • Machine designed to read credit cards hacked to read credit cards. Story at 11.

    • by sims 2 ( 994794 )

      I honestly don't see that this is a problem.
      Does anyone remember the cuecat?
      It made a output that was unusable without their special software.

      But someone figured out how to modify it so the output was decrypted Confuse-A-Cat.
      There was also a program called CatNip that would do the same without hardware modification.

      Then you could use a device that was being given away for free to scan things with software you already had.

      So they have bypassed the drm on the device to read cards with other software.

      I wouldn'

  • This story brought a quote from Gibson to mind for me: "The street finds its own uses for things." (from "Burning Chrome")
  • by hey! ( 33014 ) on Thursday August 06, 2015 @12:34PM (#50263539) Homepage Journal

    ... that anyone would expect this to be particularly hard to do. After all you're just reading bits off a magnetic stripe.

    Vendors like to talk as if the security of a system is determined by the toughest component in the system, because then they can simply buy some whiz-bang encryption chip, slap it in their product, and claim their product is nigh unbreakable by ordinary mortals. But the truth is the security of a system is determined by its *weakest* component, and in this case that starts with the card itself. Trying to secure that is like trying to secure your butter by nailing it to the butter dish.

    • by Nethead ( 1563 )

      You can read a mag card without electronics even. Just sprinkle some very fine powdered iron filings on it and you'll see the bars. Very old trick.

      • by Anonymous Coward

        Or look at the front?

      • by swv3752 ( 187722 )

        I read a credit card just by looking at the front of the card. I generally use a piece of technology to read the card- glasses.

        A few years ago, I used a credit card at a Restaurant, and the waiter must have copied down the number as a week later, I get a Call from Visa Fraud Prevention. Someone was using my card across the State from where I live. And they were swiping a card at gas stations. It is not really necessary to read the mag stripe to steal a credit card number.

        This is why I use a Visa or Mast

  • by Anonymous Coward

    Nice job Google advertising, an article about Square being "hacked" and your advertising Square, with a Free card reader! I agree though this seems like a lot of "controversy" over something that should be obvious to anyone who understands ANYTHING about technology. And as with most payment methods you have to trust the person on the other side of the register to a degree because even with hardened POS terminals there are often childishly easy ways to slip a system inbetween to skim card numbers.

  • It is totally impossible to secure credit cards given the way that credit card transactions work. I simply don't understand how come credit cards work the way they do. There's absolutely no authorization step involved.

    • by mjwx ( 966435 )

      It is totally impossible to secure credit cards given the way that credit card transactions work. I simply don't understand how come credit cards work the way they do. There's absolutely no authorization step involved.

      Because right now, the cost of fraud is less than the fees they charge the merchant for accepting credit cards.

      This is true in countries where banks are forced to cover the cost of fraud like Australia, in countries where they can pass it onto the merchant or user, its a license to print money.

      Put simply, there's no impetus to be secure yet. Banks dont want it, users will reject it, merchants dont get a say in it. The major credit card providers are looking for ways to remove the current authorisation

  • You just slashdotted Dilbert.

    That's an accomplishment.

  • You mean to tell me that a credit-card reader can read credit card numbers as the credit cards are swiped through the reader? Who would have thought?!

    Holy shit, these conferences really have started to dredge the bottom of the barrel, haven't they?
  • hello there

I am more bored than you could ever possibly be. Go back to work.