Hackers Cruise In The Wake Of Booming Square And Facebook

The faster tech businesses boom, the faster scam artists see opportunities to exploit them. Two hacks targeting Facebook and credit card service Square offer further lessons in failure at the speed of light.

The FBI has arrested the "Spam King" Sanford Wallace and charged him with 11 counts of fraud, intentional damage to a protected computer, and criminal content, the U.K. Telegraph reports today. Wallace allegedly hacked into 500,000 Facebook accounts in 2008 and 2009.

His Facebook fiasco reveals again that with all of the rapid expansion of fast-moving tech companies come opportunities for them to fail fast and hard when it comes to stopping parasitic scam artists. Facebook caught Wallace and his scam, but not for months after he used Facebook accounts to help him blast off spam in 27 million Facebook wall posts.

Meanwhile, in a related event at the Black Hat security conference in Las Vegas this week, researchers showed how Square's iPhone-based credit card reader could be used for illegal money transfers using stolen credit cards and a system that converts credit card numbers into the same sort of sound that Square uses to read them. They made use of the fact that the system does not use encryption when it reads cards, CNET tells us today. When contacted for comment, a Square spokesperson said via email: "This was not a vulnerability, but rather a simulated attempt to commit fraud. Like all credit card processors, we aggressively guard against fraud (such as the use of stolen credit cards)—and we use traffic analysis and other patented methods to detect and prevent malicious activity."

It's not the first time a potential skimming vulnerability surfaced with Square, though. Competitor VeriFone pointed out early on that Square's software encryption was dandy, but its hardware—the neat little iPhone appendage through which the card is swiped—came unencrypted and exposed. Square did not respond to Fast Company about that instance.

Airbnb, with its viral tale of rented and ransacked rooms, isn't the only booming web-based biz with teething troubles. In that sordid tale, Mark Suster, the prominent angel investor and venture capitalist with GRP Partners, offered a comment that applies more broadly to fast-growing tech companies who run into problems. "I think the strategy of saying, 'This will blow over, just move on, let the next news cycle come, people will forget this,' is always wrong," Suster said.

[Image: Flickr user ogimogi]

Add New Comment

1 Comments

  • Gerald Irish

    These Square "hacks" are a non-issue.  Sure, someone could create a program to capture credit card numbers swiped by a Square reader.  Or they could create a fake credit card reader and do the same.  Or they could just copy down credit card numbers. 

    Truth is that credit cards are inherently insecure.  All someone needs is the number and expiration date and they can make fraudulent charges.  The CVV2 code is on the back of the card, any time you give your card to a merchant they could copy that too.

    The fact that hackers can spoof the Square audio signal so they can just input credit card numbers directly into the device is a neat exploit, but you're still going through Square's credit processing system, which means they could detect and shut down the fraud at any time.  Which is no different than fraud that occurs through any other credit processor.

    Honestly it sounds a lot like incumbent credit card processors are afraid of Square and are trying to create negative publicity to scare customers away.