New data suggests that those little Square readers can be hacked and turned into card skimmers in under 10 minutes. While a team of researchers claim to have discovered a way to disable the security measures on the little reader and turn it into a malicious data theft device, Square isn’t buying it.

In fact the data from the research team seems to point at two separate ways in which the device can be tampered with. Firstly, the group is able to turn the little reader into a typical card skimmer in under 10 minutes, allowing users to steal and then sell your credit card information. While it does not store actual swipe data, it will take card info and looks identical to an un-altered Square reader.

Secondly, the group has found a way to store actual swipes, letting attackers push purchases through to card at a later date. Once a single legitimate purchase is made on a reader using this method, attackers can store multiple swipes and use them down the line.

Square has since commented on the data, saying that it pertains to the outdated magnetic-stripe cards, and note specifically to the readers themselves. The company also suggests that any card reader on the market can be disassembled, re-worked for malicious purposes, and then set back in the original shell. But this method apparently doesn’t work on Square readers due to security measures that are in place in its software, according to the company.

In the end it seems like hacked Square readers (or any other reader for that matter) can do bad things if they aren’t connected to trusted servers. As some have suggested if a merchant tries to use a Square reader with anything other than the official app, it is probably a good idea to take a pass.