Mobile Point of Scam: Attacking the Square Reader

Presented at Black Hat USA 2015, Aug. 5, 2015, 5:30 p.m. (30 minutes)

We consider the security of Square, Inc.'s mobile card-reading device, the Square Reader, across multiple models, as well as the associated Square Register app where relevant. In doing so, we identify a number of vulnerabilities in the device that allow both malicious merchants and third parties to initiate fraudulent transactions and, with minor device modification, skim credit card information of unsuspecting customers. We highlight that since mobile card-reading devices like the Square Reader are necessarily compact, cheap, and compatible with a broad range of commodity smartphones, they pose new security challenges over traditional payment-processing hardware. In turn, these challenges expose an attack surface that is relatively new and unexplored given the infancy of mobile point-of-sale systems compared to their non-mobile counterparts. We investigate this attack surface and find a number of vulnerabilities that confirm that even current secure mobile point-of-sale systems suffer from software and hardware design flaws, leaving them vulnerable to both third parties and malicious merchants.

Presenters:

• Artem Losev - Boston University
  Artem Losev is a student at Boston University College of Engineering studying Computer Engineering graduating in May 2015.
• John Moore - Boston University
  John Moore is a software engineer, security researcher, and start-up co-founder. Originally from Baton Rouge, Louisiana, John recently graduated as valedictorian of BU's College of Engineering and will soon begin work at Google Cambridge. John has held an interest in security for more than a decade. He conducted his most recent security research at his alma mater, investigating embedded device firmware vulnerabilities and real-time collaborative encryption schemes. In the past, he has worked as a network engineer, infrastructure engineer, adaptive optics researcher, and independent consultant. In his free time, John enjoys sailing, traveling, and trying new foods.
• Alexandrea Mellen
  Alexandrea Mellen is a Boston University 2015 Computer Engineering graduate. She is an iOS Developer and the founder of Terrapin Computing LLC, which has four iOS applications on the App Store. She has previously worked at MIT with Group Sadoway researching liquid metal batteries; at the Dorm Room Fund, a student-run venture firm that invests in student-run startups; and at NVBots, a 3D printing company. She has teaching experience through the Global App Initiative as an instructor, the MakeBU Hackathon as a mentor, and the Boston App Expo Conference. She also has part-time consulting experience in materials science and engineering.

Links:

• https://www.blackhat.com/us-15/briefings.html#mobile-point-of-scam-attacking-the-square-reader
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Mobile Point Of Scam Attacking The Square Reader.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Mobile Point Of Scam Attacking The Square Reader.mp4
• https://www.youtube.com/watch?v=Q69MV-w_OHk
• https://www.blackhat.com/docs/us-15/materials/us-15-Mellen-Mobile-Point-Of-Scam-Attacking-The-Square-Reader.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Mellen-Mobile-Point-Of-Scam-Attacking-The-Square-Reader-wp.pdf

Similar Presentations:

• Black Hat USA 2016 / Can You Trust Me Now? An Exploration into the Mobile Threat Landscape
• AppSec USA 2013 / PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong
• DEF CON 17 (2009) / Is your Iphone Pwned? Auditing, Attacking and Defending Mobile Devices