Square says (https://squareup.com/reader): "Square is PCI-DSS Level 1 compliant and the Square Card Reader is fully encrypted. Data encryption occurs at the moment of the credit card swipe" and has an image of the reader with 'Security Encryption' pointing to the reader itself (see the page).
Well, I do own a black reader, so perhaps Square moved back to using white at some point. But there have been white readers unable to encrypt the data out 'in the wild', and I suspect this project used one of those.
I think this is it. Square probably means that as they read the bits from the reader they are being encrypted, then sent. Not stored and plain text then encrypted before being sent.
There are already plenty of examples of people hacking Squares[1], mostly to use them as credit card skimmers though. This is one of the coolest most creative hacks I have seen for it though, bravo.
exactly! this was my initial feeling when I saw their first commercial. What stops an evil clerk of switching good square with tweaked one and collecting CC data all day long?
What's to stop an evil clerk from using his eyes to read the card? The credit card industry is designed from the ground up on the assumptions that the card is insecure. The only reason Square is adding encryption is due to a PR war by it's competitors, playing off consumer fear.
On the detail page about security (https://help.squareup.com/customer/portal/articles/7764) it says: "Fully encrypted: Square performs data encryption within the card reader at the moment of swipe."
Yet, the app in this article appears to be simply recording audio from the head.
So, what's going on?