Sep 8, 2025

Square Terminal Offline

SquareUp, better known simply as Square, is a US-based company that sells different payment devices and firmwares for them, worldwide. Square is one of several modern-payments’ companies that sells payment-readers that do not need to be ‘brickwall’-attached to a payment network, that are in fact wireless points of sale (PoS) suited to pop-up business and general more agile ways of taking payments. In this vein, Square goes further and is one of the few payments companies to sell PoS that work offline: they do not need to be connected to the Internet to take a payment from a payer; they will authorise the payment locally, the payer will leave with the goods, and only later will connect to the Internet and inquire with the payer’s bank if their payment is solvable. There is a risk associated to offline readers, of course, but they are sought after by remote businesses, travel companies, etc., in all cases where Internet connections are scarce or inexistent.

SquareUp is a US-based company selling wireless payment devices and software globally, specialising in modern businesses which do not use ‘brickwall’-attached to a payment network. In this vein, Square also offers offline point-of-sale (PoS) systems, allowing payments without internet access, later verifying with the payer’s bank. Though offline transactions carry risks, they are useful for businesses in remote areas.

Square’s devices, as all payments devices, are also bound by locale-specific firmware based on local regulations.

In 2023, our study of the UK-firmware Square Terminal confirmed that, as per its UK specification, this terminal/PoS only accepted Apple Pay and Google Pay for offline contactless payments, excluding other digital wallets and plastic cards.

The essence.

We. showed a series of *offline EMV attacks,* exploiting how Square terminals implement optional features like mobile-only restrictions and offline handling of over-limit transactions. These allow attackers to (1) bypass mobile-only blocks, and (2) carry out high-value fraudulent payments offline, sometimes even without a real card present.

Some attacks hold only in the shop, whilst the terminal is offline, some hold also when the terminal reconnects to the banking network.

Skill.

These attacks vary in complexity, ranging from **moderate** (replay + relay) to **advanced** (MiM with EMV field flipping). An attacker needs access to suitable card emulation and relay tools and an offline Square terminal.

No fraud checks were triggered by these attacks.

Reasons.

The root causes include: - **Incorrect handling of offline EMV checks**, especially missing checks on signed fields in offline mode. - **Square’s proprietary mobile detection**: using Value Added Services (VAS) to block plastic cards offline, which can be *replayed* to fool the terminal. - **EMV protocol flexibility and lack of expected backend checks combined with regional PIN/Tap-and-PIN rules**, letting attackers flip CVM bits to bypass card authentication.

Methodology.

We combine **practical EMV experiments** against Square hardware with **formal modelling** using Tamarin to validate and classify found attacks.

We tested real offline Square terminals, record traces, and relay or modify EMV messages to demonstrate protocol mis-implementations leading to each attack.

The Attacks (Square Offline)

ATTACK 1 — Bypass Mobile-Only Offline Restriction

**What:** Square terminals restrict offline contactless to mobile wallets. By replaying a *recorded mobile VAS response* and then relaying messages from a plastic card, attackers can make Square accept plastic cards offline. **Impact:** Violates intent to block plastic offline use; though *under-limit* transactions work, it circumvents regulatory intentions. **Skill:** Moderate — needs replay of VAS response + MiM relay.

ATTACK 3 — Visa High-Value Offline Acceptance

**What:** Combines ATTACK 1’s VAS replay with EMV TTQ/CTQ flipping to let a Square terminal offline accept *over-limit* contactless with a plastic Visa card, *without authentication*. **Impact:** “Free-lunch” high-value acceptance — merchant unwittingly accepts goods *offline* before backend sees the rejection. **Skill:** Advanced; requires modifying EMV fields while relaying.

ATTACK 4 — Mastercard High-Value Offline Acceptance

**What:** Similar to ATTACK 1 for Mastercard: the offline terminal accepts over-limit Mastercard plastic cards because it *doesn’t check CVM status offline*, before backend rejection online. **Impact:** Merchant loses goods; payment rejected once online. **Skill:** Moderate.

Notes: The paper also describes additional attacks extending these concepts to mobile wallets and other ecosystems.

Some attacks are down to a mix of features, regulations and protocol specifications, beyond Square’s one-sided choices.

Disclosure.

The authors engaged with Square in 2023 (for plastic-card attacks) and in 2024 (for mobile attacks), as well as to other stakeholders during the disclosure process.

Square was very responsible and cooperative. Fixes for the baseline Square offline restrictions (e.g., ATTACK 1) are being deployed in late 2023. Fixes for some the mobile attacks that pertained to Square were equally swiftly applied in 2024. Some attacks involve a series of combinations of cross-borders’ regulations, new mobile features and protocol specifications, which mean that longer term discussions and cooperation within the EMVCo ecosystem have to take place.

Recommendation.

Merchants and terminal vendors should ensure: - **Strict offline SDAD/IAD integrity checks** before accepting offline contactless. - **Proper enforcement of card authentication rules offline**, not deferring to backend systems, if possible . - **Careful handling of transport and mobile wallet flags**, avoiding weak detection that can be replayed.