Sep 8, 2025

Too Many Payment Features

SquareUp, better known simply as Square, is a US-based company selling wireless payment devices and software worldwide. Square is part of a new generation of modern-payments companies whose point-of-sale (PoS) systems are not permanently “brickwall”-attached to a payment network, but instead support mobile, pop-up, and agile business models.

In this vein, Square goes further than most by offering offline-capable PoS terminals. These devices can authorise payments locally without an Internet connection: the payer leaves with the goods, and only later—once connectivity is restored—does the terminal contact the banking network to determine whether the transaction is ultimately solvable. While offline payments carry inherent risks, they are valuable for remote businesses, transport, travel, and environments with scarce or unreliable connectivity.

Square’s devices are also bound by locale-specific firmware, reflecting local regulations and payment-network rules. In 2023, our study of the UK-firmware Square Terminal confirmed that, according to its UK specification, the terminal accepted only Apple Pay and Google Pay for offline contactless payments, explicitly excluding plastic cards and other wallets.

The essence

We identified and demonstrated a series of offline EMV attacks against the UK-firmware Square Terminal. These attacks exploit how optional EMV features, local business rules, and proprietary mechanisms are combined in offline mode.

In particular, weaknesses in mobile-only enforcement, offline handling of over-limit transactions, and cryptographic verification allow attackers to:

Bypass Square’s restriction that offline contactless payments must originate from mobile wallets.
Carry out high-value fraudulent payments offline, sometimes even without a real card present.

Some attacks are effective only while the terminal remains offline; others persist even after the terminal reconnects to the banking network.

Skill

The attacks vary in complexity:

Moderate: replay and relay-based attacks requiring recorded traces and man-in-the-middle positioning.
Advanced: attacks involving active manipulation of EMV fields (e.g., TTQ, CTQ, CVM-related bits) during relay.

An attacker requires EMV/RFID expertise, suitable card emulation or relay tools, and access to an offline Square Terminal.

Notably, no fraud checks were triggered during these attacks.

The attacks (Square Offline)

ATTACK 1 — Bypass Mobile-Only Offline Restriction

What: Square restricts offline contactless payments to mobile wallets (Apple Pay / Google Pay). By replaying a previously recorded mobile Value Added Services (VAS) response and relaying EMV messages from a plastic card, attackers can make the terminal accept plastic cards offline.

Impact: Violates Square’s stated policy and regulatory intent; enables unauthenticated offline use of lost or stolen cards under the contactless limit.

Skill: Moderate — requires VAS replay and EMV relay.

ATTACK 2 — Visa High-Value Offline Acceptance

What: Extends ATTACK 1 by combining VAS replay with TTQ/CTQ manipulation, causing the offline terminal to accept over-limit Visa contactless payments without cardholder authentication.

Impact: High-value “free-lunch” payments: the merchant releases goods offline, while the transaction is later rejected by the bank once connectivity is restored.

Skill: Advanced — requires man-in-the-middle modification of EMV fields.

ATTACK 3 — Mastercard High-Value Offline Acceptance

What: Similar in spirit to ATTACK 1, but exploiting the terminal’s failure to correctly enforce offline CVM checks for Mastercard transactions.

Impact: Over-limit offline acceptance followed by online rejection; direct financial loss to the merchant.

Skill: Moderate.

ATTACK 4 — Offline Acceptance of Non-Issued (“Made-Up”) Visa Cards

What: In certain firmware versions deployed after earlier fixes, the offline Square Terminal failed to perform correct cryptographic verification (e.g., SDAD/IAD checks) for Visa cards and Visa-based wallets. This allowed payments to be made offline using completely fabricated Visa cards, for any amount the terminal was willing to accept offline (up to £25,000 in our experiments).

Impact: Extreme risk in offline scenarios: merchants accept goods based on transactions that are guaranteed to be rejected once the terminal reconnects.

Skill: Advanced.

Note: The paper also describes extensions of these attacks to mobile wallets (Apple Pay, Google Pay, Samsung Pay) and transport/transit-mode scenarios, as well as interactions with ecosystem-wide EMV features beyond Square-specific choices.

Reasons

The root causes span multiple layers:

Incorrect handling of offline EMV checks, including missing or incomplete verification of signed data (SDAD, IAD) and CVM status.
Square’s proprietary mobile detection, based on replayable VAS exchanges rather than cryptographically bound guarantees.
EMV protocol flexibility combined with regional rules (e.g., Tap-and-PIN, transport mode), enabling attackers to flip or suppress authentication-related indicators.
Firmware evolution under regulatory and ecosystem pressure, leading to subtle regressions in offline verification logic.

Some attacks arise from Square’s design choices; others emerge from complex interactions between specifications, regulations, and payment-network behaviour.

Methodology

We combined:

Practical EMV experiments on real offline Square Terminals, including trace recording, replay, relay, and active message modification.
Formal modelling and analysis, using tools such as Tamarin, to validate attack feasibility and classify protocol failures.

Our work includes both implementation-level experimentation and formal reasoning about the resulting security properties.

Demos

A demonstration recorded in July 2024 shows an offline payment of £25,000 using a non-issued (made-up) Visa card, later rejected when the terminal reconnects:

Demo video

Disclosure

The authors engaged responsibly with Square during multiple disclosure phases:

2023: disclosure of plastic-card and offline restriction bypass attacks.
2024: disclosure of mobile-wallet and cryptographic verification issues.

Square was cooperative and responsive. Fixes for baseline offline restrictions (e.g., ATTACK 1) were deployed in late 2023, and several mobile-related issues were addressed in 2024. Some attacks involve broader ecosystem considerations, requiring longer-term coordination within EMVCo and with payment networks.

Recommendations

We recommend that merchants, terminal vendors, and the wider EMV ecosystem ensure:

Strict offline integrity checks on SDAD, IAD, and CVM-related data.
Correct enforcement of authentication rules offline, rather than deferring entirely to backend checks.
Cautious use of mobile and transport-mode indicators, avoiding replayable or weakly bound detection mechanisms.