That may have been true initially, but according to a Square employee I talked to the reader actually has a battery and encrypts the card number before sending it to the phone. Also, each reader has a unique key.
Square added the encryption in the dongles last year. This happened not long after Verifone cited the lack of encryption in an early 2011 FUD campaign against Square.
