Jump to content

Trying To Hack Square Credit Card Reader


Ampix0
 Share

Recommended Posts

Well I saw that we sell these things are work now and they don't require your social to buy one for $10 so I thought this could easily be turned into a skimmer,(for a proof of concept thing I would do for youtube) however this is not as easy as I expected. Maybe you guys can help me out here.

Picture%209_8.png

It seems very simple, the device just converts the magnetic strip data to sound that you could use a variety of programs to decode.

My first problem, I can't even get sound. I plugged it into the microphone jack on my computer. and of course nothing, I figured that was a bit too complicated with drivers and what not; so I grab my digital voice recorder and plug it into the external Mic jack. swipe a card. still no sound.

Link to comment
Share on other sites

Hack has already been done, but I think its more in how the device handles and decodes the data, not so much that its recorded as audio directly via mic jack - http://www.pcmag.com/article2/0,2817,2390491,00.asp

Link to comment
Share on other sites

To be honest, this type of "Audio" card swiping has been hacked a LONG time ago. I looked it up back in 2004-ish or something. I had documentation on how to decrypt the sounds and all of that. I wish i still had the info but that is basically all the "Square" app does. Except the new ones will have built in encryption from the reader to the iPhone/iPod/Android device. I'm going to guess encrypting the info before it's turned into audio, then decoded by the app.

I have 2 square readers, I signed up on the site to get them and plan on using them as intended. But not to say I wouldn't be interested in seeing the information again :D

Link to comment
Share on other sites

My first problem, I can't even get sound. I plugged it into the microphone jack on my computer. and of course nothing, [...] so I grab my digital voice recorder and plug it into the external Mic jack. swipe a card. still no sound.

Did you try hooking it up to a microphone pre-amp? And have you tried looking a the resulting output on an o-scope or multimeter instead of tying to hear it? It might be outside the audible range.

Link to comment
Share on other sites

I have plugged it in completely in my computer and in my Digital voice recorder. No sound. Though I may have a second generation where apparently the sound is encrypted but i would still expect to hear something.

Just plugged it into my android phone and went to the sound recorder, nothing. Though that jack IS meant for audio out but i figured I would try since it some how worked on your ipod outside the app.

Edited by Ampix0
Link to comment
Share on other sites

Did you try hooking it up to a microphone pre-amp? And have you tried looking a the resulting output on an o-scope or multimeter instead of tying to hear it? It might be outside the audible range.

I have seen a video on youtube of someone at some convention and the sound is quite easy to hear.

Link to comment
Share on other sites

To be honest, this type of "Audio" card swiping has been hacked a LONG time ago. I looked it up back in 2004-ish or something. I had documentation on how to decrypt the sounds and all of that. I wish i still had the info but that is basically all the "Square" app does. Except the new ones will have built in encryption from the reader to the iPhone/iPod/Android device. I'm going to guess encrypting the info before it's turned into audio, then decoded by the app.

I have 2 square readers, I signed up on the site to get them and plan on using them as intended. But not to say I wouldn't be interested in seeing the information again :D

Yes i just found this in the store remembering that a long time ago online you needed to have a SSN i didnt buy it. I saw it at my job and was like "well this will be a fun project"

But if I can not decode the encrypted data (I cant even get sound) I will most likely return it. I dont think I'll ever use it legitimately. (I wouldn't use it for illegal purposes, I just wanted to do it for the fun)

Link to comment
Share on other sites

Just a quick question, does it work when you interface it to the app's that it was made for? If it does then maybe the device first talks to the app and has some kind of hand shake going on in order to try and stop something like what you are doing. The first thing i would be doing is decompiling one of the app's and taking a look at there code to see how they work and interface with the thing.

Link to comment
Share on other sites

  • 1 year later...

On a whim I sent of for one of the new encrypted square card readers and just got in the mail today. I pulled the apk off of my phone and started looking around, and found a squaremicr-normal.ttf file. It is indeed all of the micr symbols and fonts. I am wondering why they would have micr fonts if they don't take checks? They also have 9 digit routing codes for most banks in their software.

I have also been wondering about the new encyrption. I am by no means a programmer, I just like to tinker with things. It looks like the software uses sha-1 and rsa. My understanding of best practices would be that you swipe the card. The information gets encrypted and stored in a file, then the file is sent to square and decrypted. Where is the file stored before it is sent to square? Is it deleted immediately after being sent?

Link to comment
Share on other sites

I know there is a ton of info about decoding the audio. Even before the reader came out there was a lot of information on it. Part of my problem is information overload though, I can google the crap out of something and get so much info that I don't know where to start.

Here is the link to an app that does the decoding for you:

http://www.androidapk.us/apps/Rhombus-54683.html

Link to comment
Share on other sites

  • 3 weeks later...

Did you try hooking it up to a microphone pre-amp? And have you tried looking a the resulting output on an o-scope or multimeter instead of tying to hear it? It might be outside the audible range.

I don't think it will be much if any outside of the audible range. Why would they offer that on the phone? That jack is for a headset.

Unless they plan on selling cell phones to dogs :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...