Trying To Hack Square Credit Card Reader

[Ampix0]

Well I saw that we sell these things are work now and they don't require your social to buy one for $10 so I thought this could easily be turned into a skimmer,(for a proof of concept thing I would do for youtube) however this is not as easy as I expected. Maybe you guys can help me out here.

It seems very simple, the device just converts the magnetic strip data to sound that you could use a variety of programs to decode.

My first problem, I can't even get sound. I plugged it into the microphone jack on my computer. and of course nothing, I figured that was a bit too complicated with drivers and what not; so I grab my digital voice recorder and plug it into the external Mic jack. swipe a card. still no sound.

[ZazenSec]

Soo...what exactly IS the issue? That you don't have sound when it's not plugged into the iPhone? I would think that the sound is due to it interfacing with the Square app.

[digip]

Hack has already been done, but I think its more in how the device handles and decodes the data, not so much that its recorded as audio directly via mic jack - http://www.pcmag.com/article2/0,2817,2390491,00.asp

[Mr-Protocol]

To be honest, this type of "Audio" card swiping has been hacked a LONG time ago. I looked it up back in 2004-ish or something. I had documentation on how to decrypt the sounds and all of that. I wish i still had the info but that is basically all the "Square" app does. Except the new ones will have built in encryption from the reader to the iPhone/iPod/Android device. I'm going to guess encrypting the info before it's turned into audio, then decoded by the app.

I have 2 square readers, I signed up on the site to get them and plan on using them as intended. But not to say I wouldn't be interested in seeing the information again :D

[Sitwon]

My first problem, I can't even get sound. I plugged it into the microphone jack on my computer. and of course nothing, [...] so I grab my digital voice recorder and plug it into the external Mic jack. swipe a card. still no sound.

Did you try hooking it up to a microphone pre-amp? And have you tried looking a the resulting output on an o-scope or multimeter instead of tying to hear it? It might be outside the audible range.

[Mr-Protocol]

I hooked the square reader to my mic jack and it put out sound. Also built in recorder on the iPod works too (Voice Memo).

Make sure you are plugging it in all the way to your computer. It is a 3 part mini plug, not a typical 2 part for stereo audio.

[Ampix0]

I have plugged it in completely in my computer and in my Digital voice recorder. No sound. Though I may have a second generation where apparently the sound is encrypted but i would still expect to hear something.

Just plugged it into my android phone and went to the sound recorder, nothing. Though that jack IS meant for audio out but i figured I would try since it some how worked on your ipod outside the app.

Edited September 5, 2011 by Ampix0

[Ampix0]

Did you try hooking it up to a microphone pre-amp? And have you tried looking a the resulting output on an o-scope or multimeter instead of tying to hear it? It might be outside the audible range.

I have seen a video on youtube of someone at some convention and the sound is quite easy to hear.

[Ampix0]

To be honest, this type of "Audio" card swiping has been hacked a LONG time ago. I looked it up back in 2004-ish or something. I had documentation on how to decrypt the sounds and all of that. I wish i still had the info but that is basically all the "Square" app does. Except the new ones will have built in encryption from the reader to the iPhone/iPod/Android device. I'm going to guess encrypting the info before it's turned into audio, then decoded by the app.

I have 2 square readers, I signed up on the site to get them and plan on using them as intended. But not to say I wouldn't be interested in seeing the information again :D

Yes i just found this in the store remembering that a long time ago online you needed to have a SSN i didnt buy it. I saw it at my job and was like "well this will be a fun project"

But if I can not decode the encrypted data (I cant even get sound) I will most likely return it. I dont think I'll ever use it legitimately. (I wouldn't use it for illegal purposes, I just wanted to do it for the fun)

[Hyperant]

Just a quick question, does it work when you interface it to the app's that it was made for? If it does then maybe the device first talks to the app and has some kind of hand shake going on in order to try and stop something like what you are doing. The first thing i would be doing is decompiling one of the app's and taking a look at there code to see how they work and interface with the thing.

[Mr-Protocol]

If it doesn't make sound, Then your reader is probably broken...

Or it is not plugged in all the way. Push it really hard to make sure it clicks.

Edited September 5, 2011 by Mr-Protocol

[Ampix0]

I have not tried this with the app only because I never intend to use it and I would rather not give my social in that case. I am also VERY sure the device was in completely.

[Mr-Protocol]

Then I am going to say your device is broken. Good thing about signing up is that you can just ask for a new one.

[murder_face]

On a whim I sent of for one of the new encrypted square card readers and just got in the mail today. I pulled the apk off of my phone and started looking around, and found a squaremicr-normal.ttf file. It is indeed all of the micr symbols and fonts. I am wondering why they would have micr fonts if they don't take checks? They also have 9 digit routing codes for most banks in their software.

I have also been wondering about the new encyrption. I am by no means a programmer, I just like to tinker with things. It looks like the software uses sha-1 and rsa. My understanding of best practices would be that you swipe the card. The information gets encrypted and stored in a file, then the file is sent to square and decrypted. Where is the file stored before it is sent to square? Is it deleted immediately after being sent?

[Mr-Protocol]

I still have 2 of the old readers. But no clue how to decode the audio.

[murder_face]

I know there is a ton of info about decoding the audio. Even before the reader came out there was a lot of information on it. Part of my problem is information overload though, I can google the crap out of something and get so much info that I don't know where to start.

Here is the link to an app that does the decoding for you:

http://www.androidapk.us/apps/Rhombus-54683.html

[Mr-Protocol]

I have an iPod touch. No android devices :(

[anode]

Only breezed through the thread, but the WHITE ones are the 'fun' ones, no encryption. The black ones have the encryption.

[anode]

Did you try hooking it up to a microphone pre-amp? And have you tried looking a the resulting output on an o-scope or multimeter instead of tying to hear it? It might be outside the audible range.

I don't think it will be much if any outside of the audible range. Why would they offer that on the phone? That jack is for a headset.

Unless they plan on selling cell phones to dogs :)