Hacker Finds How Easy Is to Steal Money Using Square Credit-Card Reader

Next time just be careful while swiping your credit card at small retailers or trendy stores that use Square Reader to accept credit card payments.
The increasingly popular and widely used Square Reader can be easily turned into a skimming devicethat can be used to steal your credit card data, a group of researchers warned.
Square Reader is a tiny device that allows small retailers to easily accept credit and debit card payments without having to spend the money on the traditional point of sale systems.
However, despite its convenience, this cheap and easy-to-use alternative has a critical flaw that could allow anyone to easily steal your payment card information.
All an attacker need is a screwdriver, superglue, and roughly 10 minutes to turn the latest generation Square Reader into a tiny, portable card skimmer.

Converting a New Generation Square Reader into a Card Skimmer?

A team of three security researchers from Boston University has discovered a way to physically modify the device and disable the encryption that generally protects your credit card data being transmitted to the smartphones.
The tampered device will look exactly like the Square Reader, but Square counters that the tampered device won’t work with the official Square app.
However, researchers claim that even so, the modified device can still be used as a regular credit card skimmer to store and record card information.
An attacker could even develop an unofficial app that looks legit, but hides skimming code underneath. While chances of encountering such a device are unlikely, it’s worth keeping an eye on your bank statements.

Method to Steal Credit Card Data without tampering with Square Reader

Besides this method, the researchers also discovered another flaw that allowed them to record credit card data directly into a smartphone, even by using a regular, non-altered, encrypted reader.
Malicious merchants can used the method to scam their customers by first swiping the credit cards on their smartphone and later play them back through the Square app to make fraudulent transactions.
“I can take that signal and convert it using a decoder freely available online, and then I have your credit card information,” Alexandrea Mellen, one of the three security researchers, told Motherboard.
Square admitted that there is a possibility to playback recorded swipes using the methods described by the researchers, but the company dismissed this as an actual flaw.

“We do not see it as a security risk,” a Square employee wrote in the report published on the Square’s bug bounty service HackerOne. “In particular, it is not possible to process a stored swipe more than once.”

The three security researchers, John Moore, Alexandrea Mellen and Artem Losev, are going to present their findings during a talk, “MOBILE POINT OF SCAM: ATTACKING THE SQUARE READER,” on Wednesday at the Black Hat security conference in Las Vegas.

Advanced Persistent Threat (APT) type attacks continue to emerge on a global scale. What makes these attacks deviate from the norm is often the resources required to develop and implement them: time, money, and the knowledge required to create custom pieces of malware to carry out specific, targeted attacks.

Operation Lotus Blossom is one of the more recent APT attacks that has been discovered and analyzed. It is an advanced adversary campaign against the mostly government and state-sponsored entities in the Philippines, Hong Kong, Vietnam, and Indonesia.
It is thought that this group carried out the attack to gain a geopolitical advantage by stealing specific information from government and military institutions in that area.
At this point, it is still too early to tell if the reach of the attack will extend to the private sector (a la Stuxnet and Duqu).

How does the attack work?

It was found that Operation Lotus Blossom involved a novel custom-built malware toolkit that the authors named Elise. This piece of malware was designed with some unique functions, including the ability to:
  • Evade sandbox detection
  • Connect to and control servers
  • Exfiltrate data
  • Deliver 2nd stage malware payloads
As has been seen in the case of many advanced cyber espionage groups, it begins with a spear phishing email. The email contains information that is very authentic and applicable to the government or military targets. For instance, it uses things like military rosters that targets expect to see. Once the victim sees the email and opens the attachment, a decoy document is presented that appears to be legitimate, however, what is actually happening is that a backdoor is being opened and malware is being installed on the victim’s machine. This gives the attacker a base of operations to conduct additional network reconnaissance, compromise new systems, as well as deliver second stage malware or exfiltrate data.

Impact on you

  • Any malware installed on your network puts you at risk of compromise, especially one designed to steal data
  • Once installed, Elise can infect other machines and continue to deliver additional malware variants as needed
  • Elise is specially designed to steal data, putting you and your clients’ sensitive information at risk

How AlienVault Help

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault USM platform so customers can detect activity from Elise. Learn more about this threat intelligence update and others in our forum.
Unified Security Management (USM) Platform helps you to scan your network to identify assets that could be infected with the Elise malware, making it easy for you to prioritize efforts and quickly identify systems that need to be addressed first.
Not only can it identifies vulnerable systems, but it can also help you detect attempted exploits of the vulnerability.