The Square reader makes any iPhone into a credit card reader. Set up an account with Square and you can take credit card payments, and the reader comes free with your account. It's a great thing for craft vendors and other small-scale merchants. And it's perfectly secure… isn't it?
Adam Laurie (also known as Major Malfunction) and Zac Franken of Aperture Labs wondered just how secure such a thing could be. It just uses the earphone jack, after all. So it must be converting the magnetic stripe data into sound. Confirming this was simple enough.
The pair wrote a simple PC-based tool to record the credit card sound and play it back on demand. They bought a $10 cable to connect a laptop to the iPhone. In a small press preview at the Black Hat conference they demonstrated that playing the credit card sound has the same effect as scanning the card with the Square reader. The researchers notified Square in February; Square responded that they see no significant threat.
This hack also allowed them to effectively pull cash from a gift card that officially can't be used for cash. All they had to do was "pay" themselves using the hack software. Laurie pointed out that malefactors can use this technique to directly get money from stolen credit card data, rather than having to purchase goods and resell them.
The hack poses no risk to users of the Square service. Quite the contrary; the risk is to everyone else from Square users misusing the device. This hack won't last forever. A new version of the Square device is in the works.
In addition, this hack doesn't really demonstrate a weakness with Square. The real problem is in the mag stripe concept itself. Using the Square reader simply lets people skim credit card data with no special knowledge or hardware. Now don't you feel secure?