Sunday, October 23, 2011

Watch Out For Credit Card Fraud

Credit Card Procesing Fraud

credit card processing fraudWhen we think of modern day credit card processing we think of high tech security features which make fraud almost impossible. Right? Wrong!  It seems that no matter who much we improve our credit card processing there are always some evil geniuses out there plotting to beat the system.
But in some cases, the plotters seem less than ingenious.  The hack pointed out at the Black Hat security conference seems rather a simple idea but defeats a high tech security system.  The guys over at Aperture Labs created less than 100 lines of code which can swipe credit card information for a system called Square.  That’s what we call and easy hack.
The Square is a payment system which supposedly was a safe way to do credit card processing from mobile devices like Androids and Iphones.  These devices would effectively turn into credit card processing machines with the use of Square, but now it doesn’t seem like such a good idea.
Well here is how the credit processing fraud is done. Aperture Labs figured out how to move funds from a stolen credit card in the bank account set up in association with Square.  This was done without have to even swipe the credit card physically with the Square card reader called the “dongle”.  They only needed to use the code they came up with to take all the information on the magnetic strip and turn it into an audio file.  This code allows you to somehow feed the info from the magnetic strip into the microphone for conversion.
So this new sound file which contains the card information is played as a series of coordinated sounds which are fed into the Square device by audio cable and understood by the Square application.  A very easy work around for people in the business but not something normal folks down on their luck would have figured out on their own.  But it is pretty interesting that Aperture was able to turn this credit card processing system designed to swipe actual cards to complete a transactions into one that can accept electronic payments.  Nice work fellas.  Now criminals don’t even have to go to the trouble of creating a plastic fake credit card, or even know the Personal ID number set up for the real card.
If this was not enough bad news for the poor Square Credit Card Processing App, Aperture Labs hit them with another goof. While testing they figured out that Square card reader can be used to make a cloned card because the data a criminal would need from the Square is not encrypted.  I thought everything was encrypted these days?
Here’s how they did it.  This was even lower tech than the low tech hack above.  By inserting the Square dongle cable into the mobile device via the audio input, the special code created by Aperture turns the new sound file into readable data which is used to make a credit card.  Hmmm.  So this makes Square a doubly ineffective technology for mobile credit card processing doesn’t it?
The real problem here is what this does to the skimmer market.  Skimmer products are available online for people who want to do bad things but this Square situation makes the difficult task of skimming into something very simple.  It lowers the barrier to entry into the skimming profession because you now need no skill are understanding of the complicated processes used in card card processing.
Of course Square is working on a fix for the problem which they have known about for sometime.  But, they didn’t really feel it was an effective method for fraud and wouldn’t cause problems.  But, when your technology is demonstrated at something called a “Black Hat” anything, it is time to make the fix.