Proof of concept rootkit for iPhone can target Square. The bug the rootkit exploits to get installed is the one that Jailbreakme uses and the one that Apple refuse to fix for first gen iPhones and iPod touches. If you've still got one of those devices and you want to fix the bug then you have to jailbreak and use a third party patch.

It's also possible to weaponize the current jailbreak exploits (there are two for the current OS, only one released publicly). Make sure you download your jalbrea software from reputable sources.

That said, I'm *finally* considering buying an iPhone. I'll know in a few weeks if I can justify the $700 or not. I'm somewhat tempted to wait until the new year to see if those new phone rumors pan out however.

I had kind of hoped the Square device encrypted the mag stripe data before sending it to the phone and onto their service (maybe sending the last 4 digits to the phone for confirmation purposes), clearly not.

I guess doing that would make the device to expensive for its target audience.

The Square dongle is free when you sign up to the service so yeah, anything more than the absolute minimum hardware necessary would push up the cost for them significantly.

Square supports Android as well and there are plenty of Android rooting mechanisms out there so this flaw isn't specific to iPhones.

Its interesting that Square insist you allow location services as they mark where you did your transactions on the receipts.

I'm always surprised by the relaxed approach to card security in the US.

The hardware costs for a simple device like that Square reader would be almost insignificant. In volume, I'd be surprised if that thing cost as much as $3. Adding encryption would definitely increase the cost, but how much does it retail for right now?

It's also the most design-challenged POS credit card accepting devices I've ever seen. But that's besides the point.

Ugh, we've already gone through this in another thread. Are you saying that you never, ever give your waiter/waitress your card to take somewhere to run it? What's to keep them from taking a snapshot of your card while they're back there?

So what's the difference? Do you have an awful credit card company who does nothing for you if there are fraudulent charges to your card?

I use Square for my business and it's far better than the other options out there for me. The per-transaction cost is lower, there is no merchant fee, no monthly fee, no monthly minimum transaction limit, and I didn't pay for the reader. Every other option I looked at would have cost me at least $400 just to start, and about $20-30 a month after that. I think Square is a revolution waiting to happen...

...but that's another thread...

Not for a long time. As we've gone fully chip & PIN here now. You have to use a proper CC terminal now which means they either give you a terminal or you go to the terminal. You in theory should never lose sight of your card now.

The Square reader is incapable of interacting with the chip in the card so wouldn't be valid for payments here. The PCI DSS standards are worldwide so I'm surprised that they even allow Square in the US. PCI DSS compliance is important if you're dealing with payment details and you can't just ignore them here.

Square claim that they're PCI DSS compliant at least according to them but PCI don't list them as being compliant. There is a click through on the PCI page so I don't want to link directly. You're allowed to self certify but if you get caught out then you're in serious trouble. If they claim they're so security conscious then how come they've not been externally audited or had their system tested? Their claims of compliance seem to only cover their end and nothing at all to do with the reader or your phone. I don't see how the reader or the underlying phone platform can be compliant. Before you ask, yes I've had extensive experience with PCI DSS compliance matters and I wished I hadn't because it is always endless paperwork.


I'd prefer not to have to deal with that in the first place and I'm sure my credit card company prefers that as well. Just because the credit card company should cancel any fraudulent charges doesn't mean that you should not care. I guess its just different in the US.


So its very cheap but insecure? Nice :P

Not once since chip and pin arrived arrived in restaurants.



Credit card companies in the UK are bound by law to refund you unless you have been reckless. But that isn't the point.

Having your card number stolen means you first have to spot that it has been stolen. It means spending time working out which transactions are fraudulent (which is a pain if you make a lot of random Internet purchases on the card). It also (in my experience) means 40 minutes on the phone to card provider working through months of transactions convincing them that your valid transactions really are valid...

And on top of that it means a new card number. Which means working out which reoccurring charges are set on the old card and going and logging into websites that you've long since forgotten the password for to give them the new number.

So having a card number stolen is a pain in the arse. Unfortunately it still happens despite chip and pin, thanks to the fact that chip and pin doesn't work for online transactions yet

I attended a presentation at USENIX Security '07 that described a simple relay attack that defeats chip & PIN security. The attacker uses a relatively cheap ($500) hacked PIN terminal that relays the chip & PIN data to an accomplice, who then buys something with the hijacked credentials.

The worst part was that, according to the presenters, UK laws placed the burden of proof on the consumer to prove they were hacked, because of the assumption was that chip & PIN was unbreakable. I'm not sure if the laws have caught up, or if the distance bounding solution proposed in the paper has been widely deployed, but if not, I think I'd rather have a more easily hackable system than a false sense of security combined with laws that assume that hacks are impossible.

I think a lot of people would balk at seeing some random small merchant trying to scan their cards on the Square device, since it looks like some random home-made device.

Besides, how much longer will it be valid for? What's the PIN/CHIP roll-out schedule in the US? Here in Canada you can still swipe in a lost of places, but all credit card companies have long ago started swapping out to the new cards. Once that's al done, all magstripe readers will disappear and it will be chip-only at brick and mortar.

Europe is generally at least 10 to 15 years ahead of North America in card banking, so it's generally pointless to try and compare.

And how much of that security do you really think is attributable to chip-and-pin and how much is attributable to the fact that your card never leaves your sight?

As with so many things, they're using encryption in ways that encryption was never designed for. At this point, you're trusting the device that the retailer provides, which is the party that you're intending not to trust. In other words, you're intentionally trusting a man in the middle.

In order for any reasonable system to work, you have to push the encryption back to the card itself. And, yes, I know that the smartcard chip does actually do encryption, but the only reader for it is the retailer's device. Fortunately, Visa is actually looking at technology like this in their Emue card.

When someone finds one of those Emue cards with 4 digits on the back clearly more worn than the others, I don't think it's going to matter how much encryption is used.

It's a lot more complicated to make a device or even modify one, capable of reading and passing along the credentials from a smart chip than it is to simply make something to dump the small amount of data from a mag strip. With that mag strip data you don't even need a PIN at all for the most part which is why it's not really any security at all. It's less secure than presenting your card and running a manual imprint - though of course the vendor has the benefit of immediate authorization.

I don't know anything about how these particular chip cards are actually implemented. But the usual method (eg. GSM SIMs), is that the card NEVER divulges its "credentials" to anything even in normal use.

The whole idea with a "smart card", as opposed to a read-only barcode/stripe, is that the chip on the card holds a shared secret that is known only to it (the chip) and also to a computer back at headquarters (eg. VISA). The chip uses the shared secret to encrypt/sign data passed to it from the reader, and passes back the results for transmission to the remote headquarters. This happens with the full assumption that anything transmitted can and will be intercepted.

Done right, it's pretty secure, and no hacked reader can do anything bad with it.

Did they do it right in this case?

Yeah, that's why people report cards missing. If you lose your key, regardless of whether it's to your bank account or your house, the only thing you can do is change the locks.


What are you talking about?

Yes... but I'm not sure I would want it to be much different from what it is now.

I suppose it would be possible to have credit cards absolutely secure, and at the same time make the authentication process so odious that it would be too much trouble to use the card at all.

If a card were totally secure, would it still be possible to use it to make on-line purchases?

I have had my credit card compromised twice in about 30 years. Both times the fraud was caught within days, and I suffered no financial hardship. However, as Andy points out, it is a pain to have to update all your recurring-charge merchants. I keep a [encrypted] file on my computer with a list of everybody who has my credit card number and the relevant information (passwords, phone numbers, etc.) required to change cards. The first time my card was compromised was when a recurring-charge merchant's database was hacked. The criminal genius who ended up with my credit card information then used it to place long distance calls from his home telephone. The second time, as near as I can guess, a restaurant worker copied the number and CV code and used it to buy porn on the internet. He didn't even have the decency to share the password to the porn site with me. [I have heard rumors that if a person knows exactly where to look, it might be possible to find pictures of naked women on the internet. Could this really be true?]

My credit card has my picture on the front of it, which should help somewhat if someone unauthorized has physical possession of the card. Why don't all credit cards do this? Of course, I haven't noticed too many store clerks avidly comparing the picture on the card to my ever-so-handsome face, so in the end it's probably a "feel-good" security feature that is of no more value than comparing my signature on the back of the card to that on the store's receipt.

I guess it all comes down to, yes, I'd like more security with my credit card, but not at the expense of usability.

tanstaafl.

Although, for your house, you could always just use a bump key, assuming you haven't upgraded the crappy locks that most houses have installed.

I suppose one might hack a reader to display different charge amounts that what it internally passes to the chip, but that's what paper receipts are intended to combat.

And again, if the chip stuff is Done Right(tm), there should be nothing that a hacked reader could "steal" for future fraudulent re-use.

Cheers

Hehe. Mag strip. I must have had barcodes on the brain from something else I was doing earlier.

Mag strips - super easy to read/copy.

As far as locks go, a window is a lot easier to get into. And around these parts, there's no sense in having a super strong lock when the door itself isn't too hard to get through either. The last I heard even locks purporting to be bump-proof weren't.

I've operated the lock on my door with a neighbor's key before just by jiggling. Couldn't do the same on his lock with my key though.

You are right, much of the security of chip and pin would have been achieved by mandating portable card terminals. Before chip and pin it was normal for them to take your card to swipe it though the till. With chip and pin they have to bring the terminal to you and the card.

With portable card terminals that rely only on strip data, it would have been easier for someone to substitute a fake terminal at a restaurant as well.

It comes down to the fact that the barrier to entry for credit card fraud is significantly cheaper/easier with Square than attacks on the dedicated terminals.

Attacks on the dedicated terminals need physical access to the terminal and sufficient technical knowledge to carry out the hardware attack. Attacks on a Square or similar device can be carried out remotely and run by anybody as it is all software.

The dedicated terminals do have some protection mechanisms in place to prevent tampering but it isn't particularly amazing protection. I've triggered the tamper detection on a terminal by accident before by dropping it around 10 inches onto a table. The entire unit had to be replaced.

The attack surface for a dedicated terminal is going to be less than a Square device as you're only going to ever be doing payments on a dedicated terminal. You're not going to be surfing, reading email, playing games, iFarting or talking on a dedicated terminal.

I can believe that there are security issues with Square, and I'll keep an eye on them, but I guess I'm just not as paranoid as some of you. I haven't had a card as long as Doug, but I have had fraudulent charges made on my card before, and yes it was an annoyance but it was taken care of relatively quickly. I then updated the five places that have my card that matter. Actually, I remember being kind of relieved that I knew every place that had my card info on file, instead of there being a dozen sites out there with my card info stored.

This is only tangentially related, but I'm curious what you guys have experienced. First of all, I don't know how many of you do this, but one the back of all my cards I've always written "Please See ID" in the signature field. Do any of you do that? What has been your success rate with that? By that I meant, how many times have you actually been asked to see your ID? Sadly, for me it's been about 1 in 10 if I'm lucky. I always thank the people who ask for it.

Even before chip and pin in the UK, it was very, very rare for anyone to ever look at the signature. My signature when signing card receipts was most completely unlike the ones on the cards. Despite that I can count the number of times I was challenged in a decade on one hand.

Any "security" system that relies on humans repeatedly carrying out the same checks over and over again is mostly doomed to failure.

Well of course, and I understand that. That question wasn't related to your "chip and pin" thing, just a question in general. Having that chip and pin system is irrelevant to the issue, since anyone who got ahold of your card could still buy stuff with it and it would pass electronic verifications.

The question was entire relevant to the pre/post chip and pin era. Since chip and pin no one ever, ever looks at the signature strip as there is no need.

Before chip and pin someone took a proper look at the signature (in my experience) about one time in every several hundred transactions.

Um, the "PIN" part of "chip and PIN" means that it's a two-factor system -- a thing you have (the chip) and a thing you know (the PIN.) That doesn't mean it's bulletproof, but it's certainly better than what we have with signature verification, or the ridiculous "look at the back of the card and enter three or four more digits" that adds no real extra security other than being generated using a different algorithm than the numbers on the front.

We've already had PIN entry on POS terminals for a long time now to handle debit cards, so it's actually kind of ridiculous that it hasn't been made mandatory for credit cards as well. Just another thing the US is behind the rest of the world on.

The last few times I've paid in a restaurant using a card in the US or Canada, they've not been able to check the signature.

I ask for the bill and they come over with it.
I give them my card and they go print up the CC receipt.
They give me the card back and the two copies of the receipt.
I sign and give them back their copy but they don't get my card back.

Unless the person has amazing memory, they don't have anything to compare to.

People always think I'm an idiot or nuts when I try to put my credit card into the reader when I'm in the US :P

At a restaurant, your signature is absolutely never checked. I've had a credit card for 18 years and my signature has never been checked at a restaurant, if only because the process of authorization and signature is the same as you've described.