Hacker News new | past | comments | ask | show | jobs | submit login
Using a Square Reader with a reel-to-reel (evanlong.info)
144 points by evanlong on June 16, 2012 | hide | past | favorite | 16 comments

Square says (https://squareup.com/reader): "Square is PCI-DSS Level 1 compliant and the Square Card Reader is fully encrypted. Data encryption occurs at the moment of the credit card swipe" and has an image of the reader with 'Security Encryption' pointing to the reader itself (see the page).

On the detail page about security (https://help.squareup.com/customer/portal/articles/7764) it says: "Fully encrypted: Square performs data encryption within the card reader at the moment of swipe."

Yet, the app in this article appears to be simply recording audio from the head.

So, what's going on?

The reader used in this video an older model. See http://venturebeat.com/2012/03/26/square-adds-encryption-to-...

The new readers are black, the old (unencrypted ones) are white. There was a presentation at BlackHat 2011 on how to use them as general purpose skimmers: http://www.engadget.com/2011/08/05/square-found-to-be-ripe-f...

The new readers are also white. Look very similar to the old ones but slightly thicker.

Well, I do own a black reader, so perhaps Square moved back to using white at some point. But there have been white readers unable to encrypt the data out 'in the wild', and I suspect this project used one of those.

The reader has changed since its initial launch. Not sure which model he is using.

Maybe the Square app initiates hardware encryption in the reader. Therefore, without the app, it's not enabled.

I think this is it. Square probably means that as they read the bits from the reader they are being encrypted, then sent. Not stored and plain text then encrypted before being sent.

There are already plenty of examples of people hacking Squares[1], mostly to use them as credit card skimmers though. This is one of the coolest most creative hacks I have seen for it though, bravo.

[1] http://cranklin.wordpress.com/2012/01/04/hacking-the-square/

exactly! this was my initial feeling when I saw their first commercial. What stops an evil clerk of switching good square with tweaked one and collecting CC data all day long?

What prevents the waiter at the restaurant from doing the same. I'd rather pay with card case or my phone in some way.

What's to stop an evil clerk from using his eyes to read the card? The credit card industry is designed from the ground up on the assumptions that the card is insecure. The only reason Square is adding encryption is due to a PR war by it's competitors, playing off consumer fear.

I remember putting together a mag-stripe reader with old tape heads based on schematics/code in Phrack (or maybe 2600...been awhile). At the time, tape decks were found in almost every home, while (to me) a mag-stripe reader was exoctic. Seems we've come full circle. Actually IIRC the older Square reader (which seems to be the one in the video) is literally a tape head wired to a 1/8 jack aligned to read track 2.

A few years ago I built a small circuit with a few low noise opamps attached to the reading head of an old reel-to-reel broken player, which had a few burned tubes. I used it to extract recordings from my family made in the 60's and converted them to wav/mp3/ogg. The result was fairly good, considering the age of the reels and no particular care was taken to preserve them!

EDIT: Sorry, this sounds unduly negative. It isn't meant to!

It's cool and everything, but I can't help thinking that dragging an electrical output from after the real reel-to-reel head would have been better.

Is that just me?

Anyway, now you've done it you can make neat echo / loop effects by splicing tape around some reels.

That is an awesome hack! Kudos to you. It's one of those things that initially sound too hard to believe, but then you think about it and go oh yeah.... why not?

Brilliant! Very well done.

Should have called it reel-to-real.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact