At Black Hat: Square Reader To Credit Card Skimmer In 10 Minutes 62
New submitter arit writes with word that three recent Boston University grads have demonstrated at Black Hat software and hardware attacks on the Square Reader used by many mobile vendors to process credit card transactions. One of the attacks converts a standard reader into an efficient credit card skimmer (conference slides) with very little effort. Always keep Scott Adams' object lesson in mind.
Card Readers are Card Skimmers (Score:5, Insightful)
We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.
Re: (Score:3)
I would be more interested in a comparison to chip-based readers: is it possible to build a chip-based skimmer?
Highly variable technology, at this point. Generally speaking, yeah, it could be done (though I suspect it'd be harder). The newest toy is a system the encrypts everything on the reader (or maybe on the card), and the merchant never sees the card info at all, so there's nothing to steal. Merchant services are pushing this hard, but it'll take a decade to get it fully deployed, even with the carrot of not having to be PCI compliant any more.
Re: (Score:2)
We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.
Why bother with card skimmers any more when contactless cards will tell you everything you need to know to make purchases online wirelessly?
Card number, check
Name, check
Expiry date, check
Everything you need to sell that shit on the black market delivered wirelessly... And no one questions why someone is walking around with a high visibility jacket, clipboard and strange antenna in a crowded shopping mall.
Black Hat for Noobs now? (Score:5, Insightful)
The square reader to skimmer trick has been around for YEARS. Cripes all you had to do was record the audio and send the audio files to your skimmer.
Pretty sad that Black Hat has turned into a n00b conference. Was there also a talk on how you can use keyloggers?
Gen1 was unencrypted (Score:2)
Gen 1 was always unencrypted. They didn't hack the gen2 or gen3 hardware to unencrypt it.
I can't tell from the slides whether they used a gen1, gen2, or gen3 reader to do their playback attack.
Even before Square, you could buy card readers on eBay. This doesn't really bring anything to the table.
Re: (Score:2)
Gen 2 and 3 were still cracked. you still did the same trick you plug it in and use a audio record app. send that audio to your guy that pays you $10.00 for each audio file and use PC software to decrypt.
Even the Paypal one was cracked a long time ago.
Re: Gen1 was unencrypted (Score:1)
Re: (Score:2)
Re: (Score:2)
So the modified firmwade of a device plugged into headphone jack lets it somehow TRANSMIT to 'nefarious third party'? please tell me more
this isnt the first _how the F did they get past the retard filter_ talk at blackhat
Re: (Score:2)
Re: (Score:1)
'Black Hat' was compromised a very long time ago, and there also many things they won't expose due to government threats. (What aren't we hearing from them this year?) So, now it's more a nostalgia thing for the phone phreaks and marketing for security companies.
Re: (Score:1)
Submitted a talk on a whim and the review process was... disappointing. They don't bother to read white papers and they'll reject talks for sounding "academic".
The invited speakers are generally good and there are a few diamonds in the rough, but a depressing amount of the conference is filled with UFO nuts and people showing off their scripts.
Honestly, is anybody surprised? (Score:5, Insightful)
Did anybody expect us to believe something you plugged into a cell phone speaker jack was actually secure in any sense of the word?
Here's a good rule of thumb: if it's a piece of consumer electronics, or involves your phone ... it's probably got terrible security.
The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".
The damned thing is almost guaranteed to be something which can be exploited. Sadly, just like every other piece of consumer electronics which tries to add network connectivity.
Companies don't care about, don't know about, and aren't accountable for security. Stop trusting that they do.
Re: (Score:3)
Re: (Score:3)
The addition of a smartphone, the use of a headphone jack, and the intention to make it simple to use for small businesses.
Which means you should just start out assuming that it has, like every piece of consumer technology these days, absolutely terrible security .. if any at all.
Every damned week we see yet another piece of consumer tech which has almost zero security. Assuming this is true should be your default position.
What kind of bubble have you lived in that with a Slashdot id that low you still put
Re: (Score:3)
Re: (Score:2)
There's no reason they'd have a 1st gen (unencrypted) reader, since Square sends free replacements to upgrade.
I've never heard from Square about any intent to replace my first-gen reader. Still have it, still use it, never seen one of the newer units.
Re: Honestly, is anybody surprised? (Score:1)
^ same. I got the original one when they first started. No emails saying its vulnerable, they didn't even ask if I wanted a replacement. Seems since it is free they are leaving it up to the users to ask for new ones.
Re: (Score:1)
it's not square's fault. that's the model, i give you a credit card number and an amount, and
you transfer the money.
the reader just converts the magstripe, which contains the credit card number, the same thing
printed on the front, into a signal
i could also just take a picture of the front of your credit card
dont blame square, blame visa and the banks for having no security
Re: (Score:3)
I may be wrong, but I don't think GP is asking you why you think the device in question isn't secure. I think GP is asking you why you think other devices are.
Re: (Score:3)
Re: (Score:2)
If credit card payment through a smartphone is insecure, what alternative to a credit card would you prefer for a purchase outside a fixed store front? If cash, how much cash should people carry instead?
Re: (Score:1)
Re: (Score:1)
welcome to the race-to-the-bottom.
I'm here in the bay area, which USED TO BE a hotbed of quality and innovation. ha! now its entirely a sweatshop where unskilled foreigners (who will do just what their are told and march to stupid/fast schedules that don't allow for proper design or testing) are the norm. software is a factory job, now. if you question things, you get fired. if you try to fix broken processes, you get fired.
all that matters is cheap and fast-to-market.
I have zero faith in software or e
Re: (Score:2)
No, but why do you place any trust in any other card reader? Hardware owned by someone else can be doing anything they want in addition to (or instead of) what it's supposed to be doing.
Or are we specifically assuming the case where the owner of the square-and-phone is not involved and the unit's been subverted out from under them? That can also happen in other cases, if anyone besides the owner has physical access to the hardware (clerks, for example).
Which leaves us down to remote attacks by folks with no
Re: (Score:2)
ANY card reader is susceptible to this attack and that has been known since card readers were being produced.
Look at your grocery store card reader: Serial or USB port. Crack open those all-in-one with an Ethernet port or a phone jack: three wires go to the reader.
Unless you're doing some type of Kerberos-style authentication (ala Apple iWallet or whatever), your card (even the chipped ones) are pretty much going to donate all your information to the first card reader that comes along. Even EMV cards (the o
Re: (Score:1)
I, for one, rely heavily on the credit card fraud protection - and that I'm not responsible for theft of services.
VISA/MC/AMEX might care because they foot the bill. But it ain't my problem.
I've had my cards reissued twice due to "strange purchases in far away places" - which is a PITA because I must update all of my auto-bill-pays. So I have adopted a ringed mechanism - I have a card that is used only for bill pay - and another for shopping. Hopefully reducing *my* PITA from stolen cards. The one I use
Re: (Score:2)
Which color Square reader?
Yes, the really old ones were trivial (white?), unencryped/obscured.
The black ones changed that, it added 'encryption' to the data before pulling it off the reader. I don't know how technically correct that is but they did make some changes.
This paper is about the white one, which was a limited distribution unit.
This paper is several years out of date.
NEWSFLASH (Score:1)
Machine designed to read credit cards hacked to read credit cards. Story at 11.
Re: (Score:1)
I honestly don't see that this is a problem.
Does anyone remember the cuecat?
It made a output that was unusable without their special software.
But someone figured out how to modify it so the output was decrypted Confuse-A-Cat.
There was also a program called CatNip that would do the same without hardware modification.
Then you could use a device that was being given away for free to scan things with software you already had.
So they have bypassed the drm on the device to read cards with other software.
I wouldn'
Different quote to keep in mind (Score:2)
It's news to me (Score:3)
... that anyone would expect this to be particularly hard to do. After all you're just reading bits off a magnetic stripe.
Vendors like to talk as if the security of a system is determined by the toughest component in the system, because then they can simply buy some whiz-bang encryption chip, slap it in their product, and claim their product is nigh unbreakable by ordinary mortals. But the truth is the security of a system is determined by its *weakest* component, and in this case that starts with the card itself. Trying to secure that is like trying to secure your butter by nailing it to the butter dish.
Re: (Score:2)
You can read a mag card without electronics even. Just sprinkle some very fine powdered iron filings on it and you'll see the bars. Very old trick.
Re: (Score:1)
Or look at the front?
Re: (Score:2)
I read a credit card just by looking at the front of the card. I generally use a piece of technology to read the card- glasses.
A few years ago, I used a credit card at a Restaurant, and the waiter must have copied down the number as a week later, I get a Call from Visa Fraud Prevention. Someone was using my card across the State from where I live. And they were swiping a card at gas stations. It is not really necessary to read the mag stripe to steal a credit card number.
This is why I use a Visa or Mast
Haaahaahaaa (Score:1)
Nice job Google advertising, an article about Square being "hacked" and your advertising Square, with a Free card reader! I agree though this seems like a lot of "controversy" over something that should be obvious to anyone who understands ANYTHING about technology. And as with most payment methods you have to trust the person on the other side of the register to a degree because even with hardened POS terminals there are often childishly easy ways to slip a system inbetween to skim card numbers.
Re: (Score:2)
That's already been hacked, too. The chips are remotely readable from 5 meters, at least, and the PIN entry is hardly ever cloaked, and when it is, an IR scan can readily pick up the last entry from about the same distance.
credit cards are insecure by design (Score:2)
It is totally impossible to secure credit cards given the way that credit card transactions work. I simply don't understand how come credit cards work the way they do. There's absolutely no authorization step involved.
Re: (Score:2)
It is totally impossible to secure credit cards given the way that credit card transactions work. I simply don't understand how come credit cards work the way they do. There's absolutely no authorization step involved.
Because right now, the cost of fraud is less than the fees they charge the merchant for accepting credit cards.
This is true in countries where banks are forced to cover the cost of fraud like Australia, in countries where they can pass it onto the merchant or user, its a license to print money.
Put simply, there's no impetus to be secure yet. Banks dont want it, users will reject it, merchants dont get a say in it. The major credit card providers are looking for ways to remove the current authorisation
Congratulations. (Score:1)
You just slashdotted Dilbert.
That's an accomplishment.
You don't say (Score:2)
Holy shit, these conferences really have started to dredge the bottom of the barrel, haven't they?
hi (Score:1)