When our team prepared for our presentation on Square, we did not expect that there would be so much interest in the security aspect of using Square. In order to focus on the other interesting elements of the Square Register app, our team spent only a mere 20 seconds explaining how the Square reader works. We actually wanted to highlight how Square could still be useful even if it was used without the credit card reader.
After reading through the reviews and comments posted by the rest of the class, I felt that I should share some of my thoughts on security.
I did some research on this area, and everything discussed here are information that are publicly available. Also, as I do not have a strong background in cryptography, do read up more on your own if you are interested — and feel free to correct me if I’m wrong.
Conversion to Sound is NOT Encryption
Some of the class seem to have the impression that the conversion of data into sound waves is what makes Square secure. This is not actually the case. After the card data in the magnetic strip is read, a piece of hardware in the reader is responsible for encrypting this information. As to how this chip does it, or what cryptographic cipher it uses — I don’t know. In the Square app, the analogue sound waves are converted back into digital, but the content remains encrypted.
A study on the security of smartphone-based POS systems listed down some of the potential threats faced by these systems.
Unencrypted information transmitted from the app over the network could be intercepted. However, the study also found that all applications tested were protected from this via the use of TLS to encrypt data sent over the network.
Malicious software or a compromised OS could intercept data sent over the audio-jack. In other words, you could have installed a bad app that tries to listen on the microphone jack for data from the Square reader. According to the study, readers without hardware encryption are indeed susceptible to this form of attack. While the first version of Square did not offer hardware-based encryption, this is no longer the case.
The reader device could be altered at a hardware level to entirely bypass encryption. However, in order to transmit this data back to the attacker, the smartphone used also has to be compromised.
Would You Use It?
Security and technicality aside, would use such a technology? As a customer, would you choose NOT to patronise a merchant if it processes your card payment using a smartphone or similar devices? Would you even care? Most of the time, when customers make payments in restaurants, their credit card is passed to the waiter, who then returns with a receipt for the customer to sign. If Square is used together with their receipt printer, one could argue that the customer might not even know the payment was processed by Square.
On the other hand, data on credit cards remain insecure as long as they are encoded on the magnetic stripe. Anyone with a cheap magnetic stripe card reader can read, or even duplicate the data stored on the card without much difficulty. Or even easier — the waiter taking your card could simply snap a picture of the card number together with the CVV code. This information is enough for them to use your card to make online transactions.
Would you stop using credit cards entirely?