We consider the security of Square, Inc.'s mobile card-reading device, the Square Reader, across multiple models, as well as the associated Square Register app where relevant. In doing so, we identify a number of vulnerabilities in the device that allow both malicious merchants and third parties to initiate fraudulent transactions and, with minor device modification, skim credit card information of unsuspecting customers. We highlight that since mobile card-reading devices like the Square Reader are necessarily compact, cheap, and compatible with a broad range of commodity smartphones, they pose new security challenges over traditional payment-processing hardware. In turn, these challenges expose an attack surface that is relatively new and unexplored given the infancy of mobile point-of-sale systems compared to their non-mobile counterparts. We investigate this attack surface and find a number of vulnerabilities that confirm that even current secure mobile point-of-sale systems suffer from software and hardware design flaws, leaving them vulnerable to both third parties and malicious merchants.
Source:
https://www.blackhat.com/us-15/briefings.html#mobile-point-of-scam-attacking-the-square-readerDownload Paper:
https://www.blackhat.com/docs/us-15/materials/us-15-Mellen-Mobile-Point-Of-Scam-Attacking-The-Square-Reader-wp.pdfThis was a very interesting read :O I actually have a couple of square readers laying around.
