Square: Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter

Although Square Readers implement encryption, possibly with a Derived Unique Key Per Transaction DUKPT scheme, the transaction counter of a Square Reader device is not verified when performing server-side decryption of swipe data. During a valid sale, a malicious merchant or third party can recor...