The Square dongle allows small businesses to accept in-person card payments, with transactions routed via Square's servers in return for a 2.75% commission, Infosecurity notes.
According to the Wall Street Journal, Square's dongle – which is issued free of charge and with no contract monthly fees of merchant account required - has been something of a success in the US since it was issued, and the company is processing card transactions of around a million dollars a day.
But, the paper says, researchers from Aperture Labs demonstrated a hack of the dongle that showed how the unit could be subverted to become a card skimmer.
The researchers - Adam Laurie and Zac Franken of Aperture Labs – reportedly demonstrated at Black Hat 2011 how a thief could use a laptop, Square's software and card number credentials to pipe cash into a bank account without making a real purchase.
The process could be easier than current methods of credit-card fraud, which involve purchasing actual goods and reselling them for cash, Laurie told his audience.
“This particular attack relies on the fact that the Square tool plugs into iPads and iPhones using the audio jack. Basically, Square is taking the credit card information and converting it into audio form so this can work. Franken and Laurie’s attack uses software that was published about five years ago that does the same thing, even if the credit card itself isn’t present”, says the WSJ.
Laurie and Franken said they revealed the vulnerability to Square several months ago.
A Square spokesperson told the paper that the company uses “traffic analysis and other patented methods to detect and prevent fraud” and noted that the attack shown at Black Hat 2011 was a simulated, one-time event.