A story on Threatpost has reopened the issue of security vulnerabilities for Square's mobile point-of-sale system. According to the post, researchers Adam Laurie and Zac Franken of Aperture Labs showed off a hack at this year's Black Hat Briefings that they said would allow a fraudster to use data from an ill-gotten credit card's magnetic stripe and route stolen funds to a bank account through Square's application. Threatpost said Laurie and Franken demonstrated the hack by making a two dollar purchase from a legitimate stored value card and then depositing the money into a Square merchant account.

The story said the researchers offered a couple of caveats to their demo. They said they did have to set up a merchant account with Square requiring an address, Social Security number and legit bank account and routing number. They also said Square's fraud systems would likely flag a high volume of fraudulent transactions.

Even with those caveats the story brings up a topic that Square probably wishes would go away. Earlier this year, Doug Bergeron, the CEO of VeriFone, criticized Square's product by saying it could facilitate credit card fraud. VeriFone even went so far as to release a "spoofed" Square application to show how easily a criminal might use the Square reader to skim card data. Square responded at the time by saying that its reader was no less secure than any other transaction involving a customer handing over a credit card. However, Square later agreed to begin encrypting data read by its credit card reader.

Threatpost said Square did not respond to requests for a statement on Laurie and Franken's hack.

For more on mobile payment security, please visit our Security research center.