
Researchers find avenues for fraud in Square - ssclafani
http://news.cnet.com/8301-27080_3-20088441-245/researchers-find-avenues-for-fraud-in-square/
======
sudonim
To me this says more about credit card security being terrible than it does
about square. After my credit card got skimmed a couple of times, I looked
into how easy it is. For a few hundred bucks you get a magnetic strip reader /
writer and you're in business cloning cards.

The hacks they mentioned:

\- Read data from a card with a square reader. Whoop dee doo... a square
reader has to do that to process a transaction. They are just capturing that
outside of the app?

\- Extract the cash from a gift card - Afaik, there's nothing nefarious about
this. I had a gift card for $500... paid the processing fee to square and got
the cash in my account. Great hack

\- Process a transaction without the physical card - You can do that already
in square, it just costs you more.

It doesn't make it easier to commit fraud IN square. You still need a tax id /
social security number to set up an account. And you need to have a bank
account connected.

Really, what it makes it easier to do is to skim credit card numbers. And this
is nothing to do with square and everything to do with credit card security.

------
awaz
Since Square adapter interfaces with mobile devices using the audio input, the
swipe basically produces a sound (corresponding to the credit card) that is
fed to the mobile device. By recording and replaying the sound, the credit
card transaction can be completed without swiping the card.

But that does not mean frauds exploit it easily.

Any one who has access to the credit card already has the credit card numbers
and the security code. One could always use that information and order items
online. But there are security mechanisms that protect such usage. The audio
recording is identical to storing the credit card number. Square uses other
mechanisms (like capturing location of each transaction) to deter fraud
behavior.

------
graiz
Title is bit misleading. Avenues for fraud are USING Square. The security flaw
is IN the design of Credit Cards. It's clever that you can plug a Square into
a tape-recorder, record a card and play it back to your iPhone. I don't think
this is a flaw in Square, it's just the commoditization of credit card
readers.

Even if Square used an encrypted dock-connector the magnetic reader is still
the equivalent of a tape-reader head. The trick could still be done albeit
with some light soldering.

------
gte910h
Square allows typed in or scanned info.

------
nhangen
Of course they do, they're trying to disrupt the company that's trying to
disrupt the industry.

