At Black Hat: Square Reader To Credit Card Skimmer In 10 Minutes

New submitter arit writes with word that three recent Boston University grads have demonstrated at Black Hat software and hardware attacks on the Square Reader used by many mobile vendors to process credit card transactions. One of the attacks converts a standard reader into an efficient credit card skimmer (conference slides) with very little effort. Always keep Scott Adams' object lesson in mind.

Card Readers are Card Skimmers

We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.

Re:Card Readers are Card Skimmers

agree. The hysteria is an insult to our intelligence. I would be more interested in a comparison to chip-based readers: is it possible to build a chip-based skimmer? I could imagine ways of making it impossible, like taking advantage of the skimmer's being offline by putting a counter in the card, or designing the card-to-readerskimmer protocol so you could only charge the card with the api key of the reader that read it (forcing fraudsters to bill cards under their own merchant accounts which would make them easy to shut down). But, is it? or is the protocol just, "okay, hello! yes! now give me your card number!" + "implement all this other frivolous stuff to increase attack surface while justifying our consultants' trips to Davos."

The second insult to our intelligence is "10 minutes". If you want to go into the skimming business, you can afford to spend more than 10 minutes on preparation. There is no time constraint here. It is like some cheezy action movie. I feel so dumbed down.

Re:Card Readers are Card Skimmers

[taustin]

I would be more interested in a comparison to chip-based readers: is it possible to build a chip-based skimmer?

Highly variable technology, at this point. Generally speaking, yeah, it could be done (though I suspect it'd be harder). The newest toy is a system the encrypts everything on the reader (or maybe on the card), and the merchant never sees the card info at all, so there's nothing to steal. Merchant services are pushing this hard, but it'll take a decade to get it fully deployed, even with the carrot of not having to be PCI compliant any more.

Re:Card Readers are Card Skimmers

[mjwx]

We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.

Why bother with card skimmers any more when contactless cards will tell you everything you need to know to make purchases online wirelessly?

Card number, check
Name, check
Expiry date, check

Everything you need to sell that shit on the black market delivered wirelessly... And no one questions why someone is walking around with a high visibility jacket, clipboard and strange antenna in a crowded shopping mall.

Black Hat for Noobs now?

[Lumpy]

The square reader to skimmer trick has been around for YEARS. Cripes all you had to do was record the audio and send the audio files to your skimmer.

Pretty sad that Black Hat has turned into a n00b conference. Was there also a talk on how you can use keyloggers?

Re:Black Hat for Noobs now?

[fustakrakich]

'Black Hat' was compromised a very long time ago, and there also many things they won't expose due to government threats. (What aren't we hearing from them this year?) So, now it's more a nostalgia thing for the phone phreaks and marketing for security companies.

Re:Black Hat for Noobs now?

Submitted a talk on a whim and the review process was... disappointing. They don't bother to read white papers and they'll reject talks for sounding "academic".

The invited speakers are generally good and there are a few diamonds in the rough, but a depressing amount of the conference is filled with UFO nuts and people showing off their scripts.

Re:Black Hat for Noobs now?

Keyloggers, you say? I'm intrigued. Tell me more about this key logging.

Honestly, is anybody surprised?

[gstoddart]

Did anybody expect us to believe something you plugged into a cell phone speaker jack was actually secure in any sense of the word?

Here's a good rule of thumb: if it's a piece of consumer electronics, or involves your phone ... it's probably got terrible security.

The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

The damned thing is almost guaranteed to be something which can be exploited. Sadly, just like every other piece of consumer electronics which tries to add network connectivity.

Companies don't care about, don't know about, and aren't accountable for security. Stop trusting that they do.

Re:Honestly, is anybody surprised?

Here, here.

Re:Honestly, is anybody surprised?

[Yosho]

The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

What makes them less trustworthy than any other credit card reader?

Re:Honestly, is anybody surprised?

[gstoddart]

The addition of a smartphone, the use of a headphone jack, and the intention to make it simple to use for small businesses.

Which means you should just start out assuming that it has, like every piece of consumer technology these days, absolutely terrible security .. if any at all.

Every damned week we see yet another piece of consumer tech which has almost zero security. Assuming this is true should be your default position.

What kind of bubble have you lived in that with a Slashdot id that low you still put any faith in this crap? Because weekly for the last decade or so is evidence to the contrary.

An app and a headphone jack simply can't graft security onto a smartphone.

Re:Honestly, is anybody surprised?

The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

What makes them less trustworthy than any other credit card reader?

That would be an even longer chain of insecure and harder-to-detect links than attend to other typical credit-card transactions.

As far as trust goes, I would still trust the vendors--but only with cash. I absolutely refuse to let a Square reader scan my credit card.

Re:Honestly, is anybody surprised?

[cyberchondriac]

I have to back this up. In June, I used a Paypal debit card for a small vendor at a Ren Faire who used one of these, (I rarely ever used this card) and a month later, I got billed $567 at some Japanese hotel. The dispute is ongoing, though I jumped on it immediately, got the card disabled and a credit; still, that money was out of my checking account for a few days. Now, it could've been a dishonest vendor, or an employee, malware on her phone, or something else, I don't know, -even a different transaction possibly- but it seems beyond coincidence as I rarely use that card and hadn't used it for months and months prior, and had never used it with a card reader before and never had an issue before.

Re:Honestly, is anybody surprised?

it's not square's fault. that's the model, i give you a credit card number and an amount, and
you transfer the money.

the reader just converts the magstripe, which contains the credit card number, the same thing
printed on the front, into a signal

i could also just take a picture of the front of your credit card

dont blame square, blame visa and the banks for having no security

Re:Honestly, is anybody surprised?

malware on her phone

This is the one it couldn't be. The readers send data to the phone encrypted. It takes an intentional physical act to skim the numbers. There's no reason they'd have a 1st gen (unencrypted) reader, since Square sends free replacements to upgrade.

Re:Honestly, is anybody surprised?

[Kidbro]

I may be wrong, but I don't think GP is asking you why you think the device in question isn't secure. I think GP is asking you why you think other devices are.

Re:Honestly, is anybody surprised?

[Yosho]

What kind of bubble have you lived in that with a Slashdot id that low you still put any faith in this crap?

As Kidpro pointed out, you're making an incorrect assumption. I don't think smartphone credit card readers are secure. I think that all of the other types of card readers are insecure, too. There have been many cases of them being compromised.

Re:Honestly, is anybody surprised?

[wolrahnaes]

There's no reason they'd have a 1st gen (unencrypted) reader, since Square sends free replacements to upgrade.

I've never heard from Square about any intent to replace my first-gen reader. Still have it, still use it, never seen one of the newer units.

Re: Honestly, is anybody surprised?

^ same. I got the original one when they first started. No emails saying its vulnerable, they didn't even ask if I wanted a replacement. Seems since it is free they are leaving it up to the users to ask for new ones.

Re:Honestly, is anybody surprised?

[tepples]

If credit card payment through a smartphone is insecure, what alternative to a credit card would you prefer for a purchase outside a fixed store front? If cash, how much cash should people carry instead?

Re:Honestly, is anybody surprised?

[asolidvoid]

But when the alternative is NOT eating that delicious lobster roll, what is one to do? Like it or not, the consumer security ship seems to have sailed and we need processes on the back end to protect ourselves (like the single-use card numbers generated by ApplePay-esque systems). I applaud you for fighting the good fight, but these security holes feel like a fact of life at this point.

Re:Honestly, is anybody surprised?

[TheGratefulNet]

welcome to the race-to-the-bottom.

I'm here in the bay area, which USED TO BE a hotbed of quality and innovation. ha! now its entirely a sweatshop where unskilled foreigners (who will do just what their are told and march to stupid/fast schedules that don't allow for proper design or testing) are the norm. software is a factory job, now. if you question things, you get fired. if you try to fix broken processes, you get fired.

all that matters is cheap and fast-to-market.

I have zero faith in software or even hardware products these days. such a shame. but at least those of us in the biz know this and so we are not surprised at total lack of security in ANYTHING anymore.

put my banking online? right.... medical files online? yeah, sign me right up. what could possibly go wrong?

Re:Honestly, is anybody surprised?

[suutar]

No, but why do you place any trust in any other card reader? Hardware owned by someone else can be doing anything they want in addition to (or instead of) what it's supposed to be doing.

Or are we specifically assuming the case where the owner of the square-and-phone is not involved and the unit's been subverted out from under them? That can also happen in other cases, if anyone besides the owner has physical access to the hardware (clerks, for example).

Which leaves us down to remote attacks by folks with no physical access... but that's happened elsewhere too, though usually by attacking the server rather than the reader (Target comes to mind).

So really, what reader deserves any substantial amount of trust?

Re:Honestly, is anybody surprised?

[ripvlan]

I, for one, rely heavily on the credit card fraud protection - and that I'm not responsible for theft of services.

VISA/MC/AMEX might care because they foot the bill. But it ain't my problem.

I've had my cards reissued twice due to "strange purchases in far away places" - which is a PITA because I must update all of my auto-bill-pays. So I have adopted a ringed mechanism - I have a card that is used only for bill pay - and another for shopping. Hopefully reducing *my* PITA from stolen cards. The one I use for shopping has "an app" that pops up immediate "Your card was used to buy $xxx at StoreABC"

Re:Honestly, is anybody surprised?

[guruevi]

ANY card reader is susceptible to this attack and that has been known since card readers were being produced.

Look at your grocery store card reader: Serial or USB port. Crack open those all-in-one with an Ethernet port or a phone jack: three wires go to the reader.

Unless you're doing some type of Kerberos-style authentication (ala Apple iWallet or whatever), your card (even the chipped ones) are pretty much going to donate all your information to the first card reader that comes along. Even EMV cards (the ones with the digital certificate on the chip) have been proven to have flaws.

Re:Honestly, is anybody surprised?

[BitZtream]

Which color Square reader?

Yes, the really old ones were trivial (white?), unencryped/obscured.

The black ones changed that, it added 'encryption' to the data before pulling it off the reader. I don't know how technically correct that is but they did make some changes.

This paper is about the white one, which was a limited distribution unit.

This paper is several years out of date.

Gen1 was unencrypted

[mveloso]

Gen 1 was always unencrypted. They didn't hack the gen2 or gen3 hardware to unencrypt it.

I can't tell from the slides whether they used a gen1, gen2, or gen3 reader to do their playback attack.

Even before Square, you could buy card readers on eBay. This doesn't really bring anything to the table.

Re:Gen1 was unencrypted

[Lumpy]

Gen 2 and 3 were still cracked. you still did the same trick you plug it in and use a audio record app. send that audio to your guy that pays you $10.00 for each audio file and use PC software to decrypt.

Even the Paypal one was cracked a long time ago.

Re:Gen1 was unencrypted

[thedonger]

Show me malware running on a device used by an honest, unaware vendor, and have it send the data to a nefarious third party, and now we're talking.

Re:Gen1 was unencrypted

ATMs have been doing this for years. Fake reader records data and takes image of the front and back, someone comes along later, connects their smartphone and downloads what was captured.

Re:Gen1 was unencrypted

Target.

Re: Gen1 was unencrypted

[Cramit]

If you look at the slides they actually subverted the chip and we're able to get the raw data from the reader with no encryption... No need to send the data to the 3rd party.

Re:Gen1 was unencrypted

[citizenr]

So the modified firmwade of a device plugged into headphone jack lets it somehow TRANSMIT to 'nefarious third party'? please tell me more

this isnt the first _how the F did they get past the retard filter_ talk at blackhat

Re:Gen1 was unencrypted

[thedonger]

The article is about turning a reader into a skimmer, which we all seem to agree is dumb seeing as a skimmer is a reader. These particular readers are typically plugged into a tablet or other handheld device so people can sell stuff to other people via credit/debit card. I'm saying, make it about malware running on said vendor's device that transmits the card data to a nefarious third party. That would be more interesting. For good measure, throw in a novel vector to infect device with the malware.

Re: Gen1 was unencrypted

I don't think he meant sending it to a 3rd party for decryption. I think he meant selling the audio data to a 3rd party.

Simming is for cows(' milk).

You are all cows. Cows say moo. MOOOOOOOO! MOOOOOOO! Moo cows MOOOOOO! Moo say the cows. YOU SKIMMED MILK COWS!!

Re:Simming is for cows(' milk).

mad cow disease sucks

sincerely anonymous mad cow coward

NEWSFLASH

[Schlopper]

Machine designed to read credit cards hacked to read credit cards. Story at 11.

Re:NEWSFLASH

[sims+2]

I honestly don't see that this is a problem.
Does anyone remember the cuecat?
It made a output that was unusable without their special software.

But someone figured out how to modify it so the output was decrypted Confuse-A-Cat.
There was also a program called CatNip that would do the same without hardware modification.

Then you could use a device that was being given away for free to scan things with software you already had.

So they have bypassed the drm on the device to read cards with other software.

I wouldn't think this would really impact the security of the users in anyway.

If I bothered to look I imagine I could find a lot of equipment that would do this out of the box. Though it's probably not as cheap or as small.

The only people this really impacts is square as they sell their equipment under the assumption that you won't be able to use it for anything else.

Its kind of like how an inkjet printer only costs $99 but a set of ink costs $120.

Credit card skimmer?

Do you know about this system where you can't fake transactions? Bitcoins.

Different quote to keep in mind

[Erbo]

This story brought a quote from Gibson to mind for me: "The street finds its own uses for things." (from "Burning Chrome")

Contacless insanity

Now add contactless cards, that makes everything better!!
and while we are at it we can become a cashless society too because they are cool!!!!!

Why do so many people seem to want to switch to card technologies that don't even need to be put into the reader to be skimmed and then remove their safer backup systems? Other than the banks I mean, their interest in becoming the only way to pay is obvious, 2% of everything in fees is a lot.

Old news/obvious

Good job Black Hat for once again exposing what the hacker community has had available for years.

It's news to me

[hey!]

... that anyone would expect this to be particularly hard to do. After all you're just reading bits off a magnetic stripe.

Vendors like to talk as if the security of a system is determined by the toughest component in the system, because then they can simply buy some whiz-bang encryption chip, slap it in their product, and claim their product is nigh unbreakable by ordinary mortals. But the truth is the security of a system is determined by its *weakest* component, and in this case that starts with the card itself. Trying to secure that is like trying to secure your butter by nailing it to the butter dish.

Re:It's news to me

[Nethead]

You can read a mag card without electronics even. Just sprinkle some very fine powdered iron filings on it and you'll see the bars. Very old trick.

Re:It's news to me

Or look at the front?

Re:It's news to me

[swv3752]

I read a credit card just by looking at the front of the card. I generally use a piece of technology to read the card- glasses.

A few years ago, I used a credit card at a Restaurant, and the waiter must have copied down the number as a week later, I get a Call from Visa Fraud Prevention. Someone was using my card across the State from where I live. And they were swiping a card at gas stations. It is not really necessary to read the mag stripe to steal a credit card number.

This is why I use a Visa or MasterCard, so I am protected when someone steals my card number. It is going to happen eventually, as it is way to easy to copy down someone's number and reuse it.

Camera

Taking a photo of both sides of a credit card is also quite efficient as a recording mechanism. There's nothing special on the stripe. Credit cards, payments, security: choose any two.

Haaahaahaaa

Nice job Google advertising, an article about Square being "hacked" and your advertising Square, with a Free card reader! I agree though this seems like a lot of "controversy" over something that should be obvious to anyone who understands ANYTHING about technology. And as with most payment methods you have to trust the person on the other side of the register to a degree because even with hardened POS terminals there are often childishly easy ways to slip a system inbetween to skim card numbers.

Chip & Pin

When will the US finally abandon this stupid magnetic stripe + signature on a piece of paper and actually enforce proper chip & pin cards ? The technology has been available for 30 years now !

Re:Chip & Pin

[dltaylor]

That's already been hacked, too. The chips are remotely readable from 5 meters, at least, and the PIN entry is hardly ever cloaked, and when it is, an IR scan can readily pick up the last entry from about the same distance.

credit cards are insecure by design

[Khashishi]

It is totally impossible to secure credit cards given the way that credit card transactions work. I simply don't understand how come credit cards work the way they do. There's absolutely no authorization step involved.

Re:credit cards are insecure by design

[mjwx]

It is totally impossible to secure credit cards given the way that credit card transactions work. I simply don't understand how come credit cards work the way they do. There's absolutely no authorization step involved.

Because right now, the cost of fraud is less than the fees they charge the merchant for accepting credit cards.

This is true in countries where banks are forced to cover the cost of fraud like Australia, in countries where they can pass it onto the merchant or user, its a license to print money.

Put simply, there's no impetus to be secure yet. Banks dont want it, users will reject it, merchants dont get a say in it. The major credit card providers are looking for ways to remove the current authorisation steps (entering a PIN) in order to get more people using the credit networks. Eventually the cost of fraud will force some security measures in, even then it will probably have to be mandated by the EU or US govts before anything is done and the implementation will still be half arsed.

Congratulations.

[bughunter]

You just slashdotted Dilbert.

That's an accomplishment.

magnetic stripe has never been about security

Unless things have changed in the last decade, the magnetic stripe on a credit card simply contains the card number, expiry date, and name on the card. There is nothing on the stripe that isn't visible on the card. It isn't a security feature--it simply makes that information easily readable by a POS machine.

You don't say

[Mr.+Freeman]

You mean to tell me that a credit-card reader can read credit card numbers as the credit cards are swiped through the reader? Who would have thought?!

Holy shit, these conferences really have started to dredge the bottom of the barrel, haven't they?

hi

hello there

hi

[mccartkatty]

hello there