Hacks turn Square's reader into a card-stealing machine (updated)
As helpful as a Square Reader may be for purchases at trendy stores, you'll want to watch out -- in the right circumstances, they can also be used to steal your credit card info. Security researchers have discovered that you can physically disable the encryption the device uses to protect your financial info, turning the Reader into a tiny, portable card skimmer. There's also a way to record the signal created by your card when you swipe its magnetic stripe on an unmodified Reader, which theoretically lets evildoers charge your card without approval.
Square is quick to note that an altered Reader won't work with the official app, and that it's not possible to handle a stored swipe "more than once." However, this assumes that you're paying attention to the apps in use when you're buying goods. An enterprising criminal could develop unofficial software that looks legit, but hides skimming code underneath. While it's not very likely that you'll run into one of these tweaked scanners in the wild, it's worth keeping an eye on your credit card statement if that sketchy shop clerk breaks out a Reader to complete a sale.
Update: Square has responded with a fuller version of its response, and contends that these are issues with card readers as a whole, not just its own technology. It contends that you could reassemble the innards of any reader to trick customers, and that the magnetic stripe decoding issue will affect the wider industry until chip-and-pin (EMV) cards take hold in the US. Read the full statement below.
"This story is about issues with magnetic-stripe credit cards, not Square. In 2015, it should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable. That is why major credit card companies, lenders, and businesses are now embracing new, more secure, authenticated payment technologies. Square is helping to lead the way with our own card readers for chip cards and contactless payments.
"Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers. Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square."
