Square Pwned – the Square Credit Card Skimmer App
In this first post we take a look at the Square credit card skimmer app that I’ve developed. This skimmer app takes advantage of security deficiencies that Square’s credit card payment system has. For those unfamiliar with Square – Square is a credit card payment system that consists of three major components:
- A credit card reader in the form of a small dongle that connects to the headphone jack of smartphones. This reader is distributed to merchants that sign up to Square.
- Smartphone apps for iOS and Android that decode the audio of credit card swipes as received from the reader. The smartphone apps also control user interactions and the credit card transactions.
- A backend authorization and credit card processing system.
In this environment, the skimmer app takes the place of Square’s smartphone app for Android. (Update: Available in the Opera app store, for the Nexus One).
The skimmer app “listens” in on the audio of credit card swipes just as the Square app does. The audio is demodulated into a bitstream, and decoded into credit card number, expiration date and encrypted PIN. In an effort to disguise the fact that credit card swipes are being read by a skimmer app, and not by the authentic Square app, the core credit card reader functionality of the skimmer app is wrapped into a re-creation of the authentic Square smartphone app. In contrast to Square’s app, the skimmer app cannot connect to Square’s backend servers. Instead, the skimmer app retains credit card swipes as audio files that allow a later playback into the smartphone while the authentic Square app is running. In this way, the earlier “transaction” is being processed as if the original credit card swipe had taken place with the Square app running. From that point forward, skimmed audio files and the decoded credit card data can be “used” in any possible way.
It is important to point out that the skimmer app does not break or circumvent any security measures that may have been put in place to prevent the development and use of such an app. While the content of magnetic strips on credit cards has always been present in unencrypted form, the unsecured Square reader is the key enabling element that allows the skimmer app to listen in on the audio of credit card swipes.
As a merchant and user of Square’s system, I would fully expect that anyone handling credit card data would implement methods that realize a secure chain of custody for the protection of that data. Not so with Square (and possibly others).
It is also important to note that the information and technologies needed to develop the skimmer app is accessible in the open web. No industry “inside” or confidential technology was used to create the skimmer app. All it takes is a good idea of what to look for, and the effort and persistence to integrate the different parts into a cohesive unit.
At the current level, the skimmer app has a few imperfections and missing features that keep it at a proof-of-concept level. To be sure, the hard work has been done, with the full vertical in place, which consists of an efficient credit card reader and a faithfully accurate re-creation of the Square app’s user interface. The missing elements are “busy work”, such as a working article description edit field or the faux preparation of a transaction receipt.
The skimmer app runs on Android and specifically, on the Google Nexus One smartphone. In principle, different versions of the skimmer app could be developed for other devices and platforms such as iOS. The picture below shows the basic screen of the skimmer app, which looks identical to the Square app. For kicks, the skimmer app overlays the merchant name with “Theobald Tiger”, which probably does not correspond to any real account with Square. If that’s not the case: Apologies to the original account holder.
Next, we swipe a credit card and punch in the transaction amount ($9,655.13). Just as the original Square app, the skimmer app reads the content of a credit card’s magnetic strip (track 2, to be exact), and displays the last four digits of the credit card along with the logo of the credit card issuer, which in this example, is Mastercard.
Pressing the processing button in the top right corner of the basic screen switches to the authorization screen. The authentic Square app shows the authorization screen while waiting for the backend system to process the transaction. In the skimmer app, this step is just a mockup.
After a couple of seconds, the simulated authorization “goes through”, and the confirmation screen is displayed. Again, the confirmation screen is just a recreation of the original app, without any significant function behind it other than allowing a user to draw a signature.
Finally, we check the detailed credit card data.
In addition to decoding credit card data, the skimmer app also retains the audio of credit card swipes in the form of WAV files. These files can be offloaded from the smartphone and copied to a PC. Using a playback cable that connects the headphone jacks of PC and smartphone, the WAV files can be played back into the smartphone in lieu of an actual credit card swipe. The picture below shows the authentic Square app after been fed with the audio from a connected PC.
In this way, we are now in a position to process the original credit card “transaction” through Square’s system, “in the back room”, so to speak.
There is no question in my mind that Square must fix their reader, even if it means a wholesale replacement of all fielded readers. It is unacceptable to flood the world with a product that can be hijacked in a manner as straightforward as presented here.
Finally, I want to point at a security issue that Android apps in general have: While the source code of an app can be obfuscated, all resources such as the images used in the user interface are packaged in unencrypted form. Although not essential to create the skimmer app, it was rather useful to incorporate images such as the credit card company logos. By slouching on Proguard and not properly protecting Android apps, Google have some work cut out for themselves as well.