Hip to Hacking Square

The Square Reader mobile point-of-sale device is the small white object plugged into the iPad Mini in this photo. Photo courtesy of Square Inc.

The Square Reader, used by millions of businesses in the United States, could at one point be converted in less than 10 minutes into a skimmer that could steal and save credit card information, according to three recent ENG grads. Their findings will be presented today at the Black Hat USA 2015 cybersecurity conference in Las Vegas.

Computer engineering grads Alexandrea Mellen (ENG’15), John Moore (ENG’15), and Artem Losev (ENG’15) discovered the vulnerability last year in a project for their Cybersecurity class, taught by Ari Trachtenberg, an ENG professor of electrical and computer engineering.“The beauty of the hardware attack itself was that there would be no sure way to know if it was the merchant with the Square Reader that actually took your information,” Mellen says.

The trio also found that Square Register software could be hacked to enable unauthorized transactions at a later date.

“The merchant could swipe the card an extra time at the point of sale,” says Moore. “You think nothing of it, and a week later when you’re not around, I charge you $20, $30, $100, $200… You might not notice that charge. I get away with some extra money of yours.”

Moore, who was valedictorian of his ENG class, says the three reported the vulnerabilities to Square last fall, and the company quickly moved to close them. Square also sent Moore a $500 “bounty” for the software hack.

Moore says there is no evidence that either of the vulnerabilities has been used to scam credit card holders, but warns that the group’s findings raise red flags for the fast-growing mobile commerce field in general.

“This isn’t just about Square,” he says. “Over the past six years, mobile point-of-sale has really taken off…and all of these providers are offering new hardware and software to process payments, and customers are trusting their credit card information to new devices that haven’t been tested as much as traditional point-of-sale devices. They’re interacting with the personal cell phone of the merchant in a lot of cases. There’s just a lot going on.”

The three turned their class project into a paper that submitted to the Black Hat conference and waited two months before learning it had been accepted, which was a huge thing, “because Black Hat is the premiere information security conference in the world,” Mellen says. The weeklong event draws everyone from hackers to government officials. Mellen and Moore will give a 25-minute presentation on their work at the conference, where they get free passes to the briefings at the Mandalay Bay Resort and Casino, worth $2,195.

Trachtenberg says students have derived papers from class projects before, but none were undergraduates and none of the conferences have had the stature of Black Hat. “This is a conference with a very high impact,” he says. “There are 10,000 security professionals that pay a lot of money to come to this conference and listen to the latest interesting security research.”

Vulnerabilities in payment software present more of an inconvenience than a financial risk, he says, at least for consumers who check their credit card statements regularly, because losses are generally covered by the credit card companies.

“The bigger reason to be scared is that Square had security in mind from the very beginning and designed these to be secure,” he says. “They should have known better than to have left these kind of holes. It kind of bodes poorly for other vendors who might not be taking security quite as seriously and what kind of problems they might be having.”

Square doesn’t disclose how many businesses use its software or how much revenue it derives by taking a small percentage of their transactions, but Bloomberg quoted one analyst as estimating that the company took in $300 million in merchant fees in 2013.

Mellen and Moore say they made Square aware of the two potential problems late last fall, and the company was receptive to their warning.

Through the winter and spring, Square staffers discussed possible solutions and their difficulties with Moore on a page on the HackerOne platform, and they eventually settled on a solution that would alert the company if the hack was ever used.

Square did not respond in detail and declined to discuss specific solutions on the record with BU Today, but a spokesperson offered a statement: “With so many sellers relying on Square to run their business, we’ve made protecting them a priority. We protect sellers by encrypting transactions at the moment of swipe, tokenizing data once it reaches our servers, and monitoring every transaction to detect suspicious behavior. We’ve also recently migrated the small percentage of remaining sellers who use an out-of-date, unencrypted card reader to new hardware. Today, those unencrypted card readers no longer work. We’re always making advances in security, and we appreciate John Moore’s research, which encouraged us to speed up our deprecation plans.”

All three alums have other plans now. In September, Mellen will return to running her own company, Terrapin Computing LLC in Cambridge, which sells four iOS apps. Moore will start work as a software engineer for Google, and Losev will continue his computer science education at New York University.

Moore says another lesson to draw from their experience has nothing to do with hackers or credit cards and everything to do with the classroom.

“Don’t be afraid to take on a project that goes a little bit above and beyond what’s required,” he says. “We could have done a project that was a lot simpler and easier, but instead we decided to do something that was quite challenging for us. We learned a lot in the process. We put in a lot more time than we expected, and it ended up paying off in the long run.”