Connect with us

Hi, what are you looking for?



Hackers Turn Square Readers into Crime Tools

Hackers on Thursday showed how to turn the latest model Square mobile payments readers into crime tools.

Hackers on Thursday showed how to turn the latest model Square mobile payments readers into crime tools.

Independent security researchers and self-described hackers Alexandrea Mellen and John Moore were at the Black Hat computer security conference in Las Vegas to demonstrate hacks targeting Square software or the dongle that plugs into audio jacks to read credit card magnetic strips.

“We converted a Square Reader into a credit card skimmer in under 10 minutes,” Mellen told AFP.

“Any layman could do it.”

She said the hardware hack can be done with simple tools including a screwdriver, wire and soldering iron, and that most of the time involved was spent carefully popping open the reader that Square provides to users of its mobile payments application.

Inside the reader a wire is soldered between two points to bypass an encryption chip.

After that, unscrambled information from swiped credit cards can be collected, essentially stolen, to be sold on a black market or abused in other ways, according to Mellen.

Advertisement. Scroll to continue reading.

Playback attack

On the software side, Moore provided details about a mobile application that enables a “playback attack” that lets merchants charge customs for bogus transactions in the weeks or months after legitimate purchases are consumated.

“We find this troubling because unless you are closely watching your credit card statements, you might not notice,” said Moore, a recent Boston University graduate on his way to a job with Internet giant Google.

Moore said that he and Mellen, also a recent graduate of Boston University, targeted the Square Reader because the company headed by Twitter co-founder Jack Dorsey is a leader in a booming trend of using smartphones for real-world financial transactions.

“Square, given its size and a bug bounty program, is no easy target,” Moore said.

“We suspect the vulnerabilities we found in Square might easily apply to other mobile point-of-sale service providers.”

An array of major Internet firms offer cash rewards, or bounties, for software bugs that can be exploited by hackers.

New hardware and software is quickly being fielded in the competitive mobile payments market, with pressure on to keep plug-ins compact and inexpensive, according to Moore.

Mobile payments software needs to be compatible with a variety of mobile phones, which can’t be secured as easily since they are used for many more purposes than making purchases.

Moore referred to the combination of factors as “a recipe for disaster.”

The hackers said they made their findings available to San Francisco-based Square but are not convinced fixes are planned.

Moore said Square told him they were watching for the kinds of bogus transactions that could be generated by “playback” hacks.

“They have the information to see the swipe of the credit card was taken weeks ago,” Moore said.

“They have chosen to monitor the behavior instead of preventing it.”

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.