Security of Transaction performed using credit card reader for smartphones and Tablets Author Falade Tunde Supervisor - Dr Kris Gaj
Purpose The reason for taking on this project is to analyze the security of transactions that involve the use of card reader with smartphone and tablets. Why is this important?
Focus Focus will be on the Square card reader It fits into the 3.5mm audio jack of smartphones and tablets.
Square card reader First introduced in 2010 by Square Inc. under the leadership of Jack Dorsey First version 2.5cm by 1.2cm Does not support encryption Short-circuit issue with iphone It was a passive device.
Greatly improved Second Version Short-circuit eliminated Supports Encryption Also passive device Inclusion of TI MSP430G2412 microcontroller and an additional IC to amplify the audio output signal
The Whole Picture A credit card reader of a square shape that connects to the audio jack of a smartphone or tablet. This will be in the possession of the merchants that sign up to Square Smartphone app downloaded that decodes the audio of credit card swipes as received from the reader. These apps also dictate how the merchant interacts with the card reader and the data it receives from credit cards And lastly, a backend authorization and credit card processing system
How secure are your transactions? Three factors that are important Security Trust Privacy How does Square implements these 3 factors in their security protocol?
Security Security - PCI-DSS Compliant new version has TI MSP430G2412 micro controller, it has a build in Data Encryption Standard (DES) as a block cipher that uses shared secret encryption based on symmetric key algorithm system the symmetric cryptographic keys are required to be at least 128 bits long and the in the case of asymmetric key, at least 2048 bits long. square website and API is accessible through 128-bit extended-validation SSL certificate that is issued by VeriSign connection between networks are protected by restrictive firewalls, the sensitive data from the magnetic stripes are not stored in the device
Trust access to sensitive data, application data and cryptographic keys are controlled by Square, which means that encryption of the data starts at the swipe of the credit card two-factor authentication and strong password controls are required for administrative access to systems, access to secure services audit logs are reviewed regularly detailed incident response plans have been prepared to ensure proper protection of data in an emergency
Privacy Sensitive information transmitted while using the square card reader is protected according to the square privacy policy. Transaction information, location information, device information, use information(how the services is used), information collected by cookies and web beacons are all protected.
Threats to Security of mobile payment using smartphones and tablets Network Communication Issue Malicious Applications Forged Application A compromised Operating System
Square and its competition Intuit GoPayment PCI-DSS compliant Works with these OS: ios, Android and Blackberry Automatically regenerates the keys used to encrypt card data once per year Provides merchants with the tool to manually generate new encryption keys if a breach of security is suspected It automatically erase card data information from stored transactions after 60 day It logs every transaction, changes to encryption keys
PayPal Here Square and its competition PCI-DSS complaint cont d PayPal encrypted both the card reader and the app that is downloaded onto the smartphone or tablet Triangular shape was intended to address two drawback of the square card reader: its tendency to swing around its single point of contact and the challenge of keeping the card s edge flat against what amounts to a one-inch card slot The wide base of the triangle provides a longer runway for the bottom edge of the card Support same OS as square.
Test skimmer app will listen to the audio of the credit card swipes The.wav audio file will be demodulated into a bitstream and the sensitive data of the credit card like the CCN, expiration date and encrypted PIN will be decoded The.wav audio files can be offloaded from the smartphone and copied to a PC A playback cable connecting the smartphone audio jack to the PC headphone input can be used to playback the.wav files back into the smartphone in place of an actual credit card swipe
QUESTIONS? Example