Square says (https://squareup.com/reader): "Square is PCI-DSS Level 1 compliant and the Square Card Reader is fully encrypted. Data encryption occurs at the moment of the credit card swipe" and has an image of the reader with 'Security Encryption' pointing to the reader itself (see the page).
Well, I do own a black reader, so perhaps Square moved back to using white at some point. But there have been white readers unable to encrypt the data out 'in the wild', and I suspect this project used one of those.
I think this is it. Square probably means that as they read the bits from the reader they are being encrypted, then sent. Not stored and plain text then encrypted before being sent.
There are already plenty of examples of people hacking Squares[1], mostly to use them as credit card skimmers though. This is one of the coolest most creative hacks I have seen for it though, bravo.
exactly! this was my initial feeling when I saw their first commercial. What stops an evil clerk of switching good square with tweaked one and collecting CC data all day long?
What's to stop an evil clerk from using his eyes to read the card? The credit card industry is designed from the ground up on the assumptions that the card is insecure. The only reason Square is adding encryption is due to a PR war by it's competitors, playing off consumer fear.
I remember putting together a mag-stripe reader with old tape heads based on schematics/code in Phrack (or maybe 2600...been awhile). At the time, tape decks were found in almost every home, while (to me) a mag-stripe reader was exoctic. Seems we've come full circle. Actually IIRC the older Square reader (which seems to be the one in the video) is literally a tape head wired to a 1/8 jack aligned to read track 2.
A few years ago I built a small circuit with a few low noise opamps attached to the reading head of an old reel-to-reel broken player, which had a few burned tubes.
I used it to extract recordings from my family made in the 60's and converted them to wav/mp3/ogg. The result was fairly good, considering the age of the reels and no particular care was taken to preserve them!
That is an awesome hack! Kudos to you. It's one of those things that initially sound too hard to believe, but then you think about it and go oh yeah.... why not?
On the detail page about security (https://help.squareup.com/customer/portal/articles/7764) it says: "Fully encrypted: Square performs data encryption within the card reader at the moment of swipe."
Yet, the app in this article appears to be simply recording audio from the head.
So, what's going on?