Posted 08.05.2011 at 5:19 pm
15 Comments
Square Mobile Payments
Square
A simple tool that can turn any iPhone into a credit card machine can also be a simple way for crooks to steal cash, hackers demonstrated this week. Square can eliminate the hassle of money laundering.
Instead of stealing credit card numbers, buying items and then selling those items for cash, Square can deposit money directly into a user’s account. Computer security experts from a firm called Aperture Labs described the process at the Black Hat security conference in Las Vegas.
Related Articles
 | Russian ATM Scans Credit Applicants to Determine if They're Lying |
 | Plant DNA Helps Catch Criminals and Thwart Counterfeiters |
2010.jpg) | Reprogrammable Card Can Be Many Credit Cards In One |
Tags
Gadgets, Rebecca Boyle, computer security, credit card fraud, credit card swipe, dongle, Future of Money, hackers, security, squareHacker Adam Laurie realized using the headphone jack meant the device was converting the magnetic strip information into sound waves that were interpreted by the app, according to a writeup by AFP. He realized he could trick the system into falsely reading audio data, so it would enter a transaction using a stolen credit card number.
He inserted a different wire into the iPad’s headphone jack, so the software thought a dongle was plugged in. Then he modified some software he had already written for translating magnetic stripe data (we mentioned he’s a hacker, right?) and then typed in a credit card number. The data was converted to sound, and the app read the information as if a real card had been swiped. Then he could deposit funds into his Square account, which are delivered within a day.
Laurie and co-hacker Zac Franken said they notified Square of the threat, but were told credit card traffic analysis would spot such malfeasance. Meanwhile, they have since learned the company is planning to release new dongles that encrypt data — which they currently do not. Looks like further motivation to keep your personal data secure.
[via PhysOrg]
15 Comments
To comment, please Login.
Popular Tags
Gadgets
Regular Features
|
|
|
|
|
|
June 2013: American Energy Independence
Five amazing, clean technologies that will set us free, in this month's energy-focused issue. Also: how to build a better bomb detector, the robotic toys that are raising your children, a human catapult, the world's smallest arcade, and much more.
Popular on Popsci
Most Commented
Gadgets
- Xbox One Is The First Games Console For People Who Don't Like Games
- Xbox One: Here's What We Know About Microsoft's New Console
- Drone-Vision Rifle Goes On Sale For $22K
- Would You Give This Company $250 For A Survivalist's E-Ink Android Tablet?
- What We Know (And Think We Know) About The New Xbox
- BeerSci: A Pint That Fits In Your Pocket
- The First Round Of Apps For Google Glass Is Here
- Headset Zaps Video Gamers' Brains For Better Reflexes
- Google Should Include A Self-Destruct Button On Every Android Phone
- Internet-Enabled Laser Pointer Lets You Play With Your Pet From Anywhere In The World
Most Emailed
Gadgets
- Headset Zaps Video Gamers' Brains For Better Reflexes
- The World's Smallest Arcade
- Xbox One Is The First Games Console For People Who Don't Like Games
- Xbox One: Here's What We Know About Microsoft's New Console
- What We Know (And Think We Know) About The New Xbox
- Drone-Vision Rifle Goes On Sale For $22K
- Internet-Enabled Laser Pointer Lets You Play With Your Pet From Anywhere In The World
- The First Round Of Apps For Google Glass Is Here
- Google Should Include A Self-Destruct Button On Every Android Phone
- BeerSci: A Pint That Fits In Your Pocket
Most Viewed
Gadgets
- Headset Zaps Video Gamers' Brains For Better Reflexes
- The World's Smallest Arcade
- Xbox One Is The First Games Console For People Who Don't Like Games
- Xbox One: Here's What We Know About Microsoft's New Console
- What We Know (And Think We Know) About The New Xbox
- Drone-Vision Rifle Goes On Sale For $22K
- Internet-Enabled Laser Pointer Lets You Play With Your Pet From Anywhere In The World
- The First Round Of Apps For Google Glass Is Here
- Google Should Include A Self-Destruct Button On Every Android Phone
- BeerSci: A Pint That Fits In Your Pocket
Online Content Director: Suzanne LaBarre | Email
Senior Editor: Paul Adams | Email
Associate Editor: Dan Nosowitz | Email
Assistant Editor: Colin Lecher | Email
Assistant Editor: Rose Pastore | Email
Contributing Writers:
Kelsey D. Atherton | Email
Francie Diep | Email
Shaunacy Ferro | Email
Today on PopSci.com
Copyright © 2012 Popular Science
A Bonnier Corporation Company. All rights reserved. Reproduction in whole or in part without permission is prohibited.
Believe you will love it.
We have good reputation, fashion products,
come here quickly== http://www.jordanforworld.com
Opportunity knocks but once
This article just SCREAMS of easy BUY and accepts interest later and other tags of payments later! "How can I pick your pocket"; “It also screams of fake and copy credit cards and other such adventures". I worry...... every day, of living a normal and daily life and suddenly my credit score be gone, my money be gone and the government is slow in following this negative dramas of my own life, I sink into a negative nightmare of hopelessness and manipulation without a heaven. And I am just a regular guy, working for a living, middle class or lower and I am screwed and hopeless in all directions. " I am SCREWED by AUTOMATIC, COMPUTEROTICS AND HACKING AND I JUST END UP DIEING, FIGHTING TO DEFEND MYSELF AS A GOOD PERSON< BUT HOPELESSLY OVERWHELM BY NEGATIVE DATA BY A COMPUTER. THE HACKER AND THE COMPUTER WINS!
"Meanwhile, they have since learned the company is planning to release new dongles that encrypt data — which they currently do not"
The above encryption will not solve anything.
The easiest way would be to clone a card.
Cash is still relevant especially for small transactions.
Not to mention that cash will not fail in case of power outages.
Awesome app i must say,This Square mobile credit card reader app is great software for iphone and ipad,and it is user friendly also.This app can make money transaction much more easier.Thank you for sharing this great info with us.
God Bless!!
Nice hack, but there's a few problems to face:
credit companies identify fraudulent transactions pretty quick, and even if they don't they will just charge the merchant back if they don't have the customers approval.
Most credit cards visa and mastered have new rules in the near future merchant need to have a credit chip reader.
There have been algorithms around for some time now that would automatically generate card numbers, having just the credit card number won't get you too far now days.
Dumb. I use Square's app for processing AMEX cards for an on-line e-store. All info for a transaction can be entered on-screen. No dongle required, at least under Android. Why go through the trouble of encoding numbers into tones?
The systems seems very secured so far. but in the hands of crimes, it can be a "God sent". As usual common governed everything...
isis-phones.com
Isis Phones - NFC Enable MobileMoney Payment
creditcardshelplines.com
Credit Cards help online
Wow it's good! Iphone is the best!!!!
Is it really such an inconvenience for people to carry a regular freakin' credit card on them? Seriously. This just isn't worth the risk.
◎★★◎Something unexpected surprise fashion
hello everyone,im wholesale supplier online
Believe you will love it.
very good shopping web.
★good★
look love—[[ w w w - ( edhardy007 )- c o m ]]
Anyone thought about Portal when they read Aperture Labs?
@kherzhul: I immediatly started humming "Still Alive" and wondering if it was a plot by GLaD0S
this is a great example of how hacking is so great. portal ftw!
to mars or bust!
I realized this the second I first used a Square reader. There's not even any need for a special app with a special wire; if you have a good-quality microphone headset, it'll work just as well. The app can't tell if the thing plugged in is a headset or a Square dongle.
I even came up with an interesting method of releasing people's credit card info online this way.
1) While swiping the card through your Square dongle, open up the iOS Voice Recorder app first. Swipe and save, tell the customer the app crashed and you just need to swipe it again; then open Square and process the transaction normally.
2) At your leisure, plug your jailbroken iOS device into your computer and use iPhone Browser or the like to find that recording file. Load it into any decent audio editor (say Audacity) and overlay a music track on top of it and save this new file.
3) In your audio editor, load the same music file sans the card data and invert it. Distribute the inverted music and the music-overlayed card data in separate torrents.
4) Anyone who downloads these can simply overlay them on each other and get the original card data back, and playing that into a mic with the Square app running will trick the app into thinking you've swiped that person's card. Now EVERYONE can take money from the one person.
Just sayin', it's certainly doable and seriously dangerous.
-IMP
@Kerzuhl
I thought I was the only one who noticed. Btw, have you seen my companion cube? I left it somewhere in the vicinity of an incinerator... :(
-Spouting a fountain of nonsense since 1995-