Square’s Security Woes About MagStripe Cards

Square Readers can be compromised by hackers to steal credit card information, Engadget reported Monday (Aug. 3).

Citing security researchers, the site reported that hackers can disable the encryption that the devices use to shield financial data, which in effect turns the Square device into a “tiny, portable card skimmer,” as Engadget termed it. And that’s not all: There’s also the chance that cyberthieves can record the very signal transmitted by the card upon swiping the magnetic stripe through an unmodified Reader, which at least opens up the chance that a card can be charged for items without the real holder’s approval.

Engadget also reported that Square, in its defense, stated that an altered reader will not in fact work with the company’s app and that a stored swipe cannot in fact be handled more than once. That may still leave open some avenues for theft, Engadget stated, with the chance that a hacker can construct software that in fact masquerades as an official site but in turn hides a skimming code.

In an update to its original article, Engadget said that these are issues that are tied to card readers overall and are not company-specific. The magnetic stripe decoding threat will be mitigated by wider adoption of chip-and-pin solutions, the company said.

Square said in a statement: “This story is about issues with magnetic-stripe credit cards, not Square. In 2015, it should not surprise us that a system using essentially the same technology as cassette tapes is vulnerable. That is why major credit card companies, lenders and businesses are now embracing new, more secure, authenticated payment technologies. Square is helping to lead the way with our own card readers for chip cards and contactless payments.”

“Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers. Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square.”


To check out what else is HOT in the world of payments, click here.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.

Click to comment