Mobile credit card reader-maker Square today has countered the claim of three Boston University (BU) graduates that its reader can be quickly and easily converted into a credit card skimmer.
The company has released a statement saying that while all portable readers can be rebuilt to create a malicious unit there are security measures in place to prevent this from happening to its products.
“Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square," Square said in a statement emailed to SCMagazine.com.
The hack was discovered by Alexandrea Mellen, John Moore and Artem Losev who said they found a number of vulnerabilities in the mobile card-reading device that could allow unscrupulous merchants and other third parties to initiate fraudulent transactions with just a minor tweaking of the device. Their findings, which are being discussed at Black Hat in Las Vegas Wednesday found that even secure mobile point-of-sale systems have software and hardware flaws that make them vulnerable.
The group said it studied the company's app and found security issues.
“We consider the security of Square, Inc.'s mobile card-reading device, the Square Reader, across multiple models, as well as the associated Square Register app where relevant,” according to the description of the trio's Black Hat presentation.
The BU grads noted that because Square Readers are small, rather simple devices that are compatible with a large number of connected devices plays into the criminal's hands. Complicating matters is that this represents an entirely new area of vulnerability for consumers who may be using a mobile credit card payment system for the first time.
The Square added that many of the dangers posed by credit cards equipped with just a magnetic strip will be eliminated as the industry follows Europe's lead and switches over to card with embedded chips and contactless payment systems.