Earlier this year we wrote about Square, an application that allows smartphones to function as credit card readers using a small device that plugs into the headphone jack. The advantage: anyone with the application can process transactions on the fly by simply swiping a physical card through the reader.
Now, two British technology security researchers have discovered a way to process transactions without having to swipe a physical card—meaning all a thief would need is magnetic stripe data in order to process transactions.
Adam Laurie and Zac Franken announced last week that with a stolen credit card, a microphone and a hundred lines of computer code, they were able to use the card to make fraudulent purchases. Here’s how the hack works. First, Laurie fed the data on a card’s magnetic stripe into a microphone and converted it into sound—a series of beeps. Then they played the beeps into a stereo cable connected to a Square device, which read it just as if the card was being swiped.
“It turns any iPhone into a skimmer,” Laurie said at last week’s Black Hat computer security conference in Las Vegas, according to reporting by CNET. The main difference between old skimming technology and Square is that “now you need less technical hardware to do it and no technical skills at all.”
Voila! Thieves get access to your credit card. If they happened to steal your phone along with your card, they could even use your own phone to defraud you.
Square did not respond to an email seeking comment.
“This lowers the bar,” Laurie said. “This really takes the hassle out of” performing credit card fraud.
Laurie and Franken figured out this major flaw in the Square way back in February, and told the company about it, CNET reports. The devices have been on sale since May.