As if we didn’t know this already, the good folks at the Black Hat Conference in Las Vegas last week demonstrated another way to fool Square software into taking a payment. It’s a technical hack, one that basically allows a bad actor to create a sound file of a magstripe (it is audio tape after all) and play that sound file into a Square-enabled smartphone’s audio input jack. The Square software interprets it as a swipe from a Square reader.
This new weaknesses is neither really new or much of a threat. As we’ve known for months, it’s so much easier using Square as a card skimmer. There’s plenty of software out there to capture what the Square reader reads: the magstripe payment data. Making a counterfeit card is just one step away.
At February’s Visa Security Summit, Square announced that it will be shipping a reader with an encrypting head this summer. We’re halfway through summer with no word on its availability. It’s hard to imagine that Square can afford to offer a free encrypting reader. That step requires more sophisticated hardware. Charging for the reader is an “out of model” experience for Square. From a strictly security point of view, the company should replace all of its current readers and reject unencrypted transactions thereafter. While it’s arguable that that is necessary from a risk and business perspective, the company should get those encrypting readers fielded ASAP.