Hacker Newsnew | comments | show | ask | jobs | submit login

Square says (https://squareup.com/reader): "Square is PCI-DSS Level 1 compliant and the Square Card Reader is fully encrypted. Data encryption occurs at the moment of the credit card swipe" and has an image of the reader with 'Security Encryption' pointing to the reader itself (see the page).

On the detail page about security (https://help.squareup.com/customer/portal/articles/7764) it says: "Fully encrypted: Square performs data encryption within the card reader at the moment of swipe."

Yet, the app in this article appears to be simply recording audio from the head.

So, what's going on?




The reader used in this video an older model. See http://venturebeat.com/2012/03/26/square-adds-encryption-to-...

-----


The new readers are black, the old (unencrypted ones) are white. There was a presentation at BlackHat 2011 on how to use them as general purpose skimmers: http://www.engadget.com/2011/08/05/square-found-to-be-ripe-f...

-----


The new readers are also white. Look very similar to the old ones but slightly thicker.

-----


Well, I do own a black reader, so perhaps Square moved back to using white at some point. But there have been white readers unable to encrypt the data out 'in the wild', and I suspect this project used one of those.

-----


The reader has changed since its initial launch. Not sure which model he is using.

-----


Maybe the Square app initiates hardware encryption in the reader. Therefore, without the app, it's not enabled.

-----


I think this is it. Square probably means that as they read the bits from the reader they are being encrypted, then sent. Not stored and plain text then encrypted before being sent.

There are already plenty of examples of people hacking Squares[1], mostly to use them as credit card skimmers though. This is one of the coolest most creative hacks I have seen for it though, bravo.

[1] http://cranklin.wordpress.com/2012/01/04/hacking-the-square/

-----


exactly! this was my initial feeling when I saw their first commercial. What stops an evil clerk of switching good square with tweaked one and collecting CC data all day long?

-----


What prevents the waiter at the restaurant from doing the same. I'd rather pay with card case or my phone in some way.

-----


What's to stop an evil clerk from using his eyes to read the card? The credit card industry is designed from the ground up on the assumptions that the card is insecure. The only reason Square is adding encryption is due to a PR war by it's competitors, playing off consumer fear.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: