Samsung Android

Samsung Pay exploit could allow hackers to “skim” credit cards, in theory

Milen Y. posted by Milen Y.   /  Aug 09, 2016, 5:24 AM

There's a clever security technique built into Samsung's mobile payments service. When you make a purchase with Samsung Pay, you don't reveal any of your payment card info to the merchant because each transaction is tokenized. Tokenization is the process of obfuscating the user's actual payment card number by replacing it with a virtual one called a token. The generated token is used for sending the transaction to the card's payment network, where it is decrypted and the transaction is authorized. The user's actual payment card information is not revealed to the merchant and is not stored on Samsung's servers. That's good and all, but “security researcher” Salvador Mendoza claims that he has found a security flaw in the system that could allow fraudsters to steal tokens from users of Samsung Pay and make purchases with them.

Apparently, every time the Samsung Pay app is opened, even without initiating a transaction, it automatically generates a token. If the user initiates a purchase, that generates another token even if the purchase is canceled. The problem here, Mr. Mendoza claims, is that all these generated tokens remain active even after the session ends. This means that they can still be used for purchases, although not on the device they were generated on, if they were to be intercepted by a third party in the span of 24 hours (that's how long they remain active).

In the video below, Mendoza demonstrates how tokens can be easily collected with a skimming device attached to his wrist. After obtaining a token, he then loads it into a tool called “MagSpoof”, which he uses to make a purchase with.



Samsung has since issued an official statement on the matter, admitting that such attacks are possible, but maintaining that they would be “extremely difficult” to pull off:

The possibility of a Samsung Pay user transmitting a payment token using user authentication such as fingerprint, having a fraudster capture the data on a separate device, and the fraudster relaying the token at a credit card reader for a successful transaction is extremely unlikely. In order for this “token skimming” to work, multiple difficult conditions must be met. First the user must permit the token and cryptogram generation with his or her own authentication method. This pair of token and cryptogram (also known as a “payment signal”) must be transmitted to the POS for each transaction and cannot be used for multiple transactions.

Then the fraudster needs to capture the signal on a device that is within very close proximity to the Samsung phone. Due to the short-range nature of MST, it is difficult to capture the payment signal. Even if the fraudster was able to capture the signal, the fraudster would have to ensure that the original payment signal of the legitimate user does not get to the issuer for approval. Otherwise the captured signal would be useless. Ensuring this may require the fraudster to jam the connection between the phone and POS terminal or to quickly complete the transaction before the legitimate user’s signal reaches the payment terminal and the card issuer. Because users typically permit the cryptogram generation just before their payment at the POS, these conditions would be very difficult to meet in practice. When any transaction happens, the legitimate Samsung Pay user would get immediately a Samsung Pay transaction notification on the smartphone screen. The users would take any necessary action with his or her issuer with payment transaction including un-familiar one. In summary, Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token.


This statement was issued by Samsung two days ago, on August 7. Earlier today, Mendoza uploaded a new “uncut” video on his YouTube channel, again demonstrating the same security flaw. As far as the video goes, Mendoza does not touch on the topic of user authentication at all. Furthermore, since there is no other way of transmitting a payment token without some sort of authentication – be it a password or a fingerprint – he seemingly authenticates the app himself while the phone is off camera for a second and mentions nothing of it. After that, he quickly manages to “capture” a token and successfully completes a purchase with it – swiftly receiving a notification from Samsung Pay on his phone – demonstrating yet again that there is a hole in the security system.



In any case, we wouldn't worry ourselves too much over this exploit, given all the requirements that have to be met in order for fraudsters to steal our precious tokens. Still, we are glad that Mr. Mendoza has brought this security flaw to light, and we certainly hope that Samsung does its best to resolve the issue.

source: Salvador Mendoza (YouTube) via ZDNet

FEATURED VIDEO

Options

15 Comments

ctdog4748
Reply

1. ctdog4748

Posts: 797; Member since: Mar 05, 2016

Samsung tends to have a very cavalier attitude when things go wrong, witness the S7 Active waterproof debacle. They've pretty much said "f-ck it" concerning that issue, hopefully they'll take this potential problem a LOT more serious, for the safety and security of those that use Samsung Pay. Here is the link to what I'm talking about regarding the S7 Active;http://www.sammobile.com/2016/08/09/galaxy-s7-active-owners-are-getting-the-short-end-of-the-stick/

posted on Aug 09, 2016, 6:07 AM

NonFanBoy
Reply

2. NonFanBoy

Posts: 180; Member since: May 28, 2015

http://www.sammobile.com/2016/08/09/samsung-sets-the-record-straight-on-samsung-pay-vulnerability/

posted on Aug 09, 2016, 6:15 AM

greyarea
Reply

14. greyarea

Posts: 267; Member since: Aug 14, 2015

Solid independent source.

posted on Aug 09, 2016, 2:52 PM

JMartin22
Reply

3. JMartin22

Posts: 2380; Member since: Apr 30, 2013

That was a manufacturing flaw in the production process that they have since fixed. They are proactive about addressing the issues. It's just usual company PR to downplay them.

posted on Aug 09, 2016, 6:17 AM

tedkord
Reply

7. tedkord

Posts: 17454; Member since: Jun 17, 2009

I know. What's next, telling users they're holding it wrong?

posted on Aug 09, 2016, 7:57 AM

greyarea
Reply

15. greyarea

Posts: 267; Member since: Aug 14, 2015

So it's a wash and neither company or their fans should acknowledge the issues? Both companies do poorly for their size IMO.

posted on Aug 09, 2016, 2:55 PM

iWinAndroBerry unregistered
Reply

4. iWinAndroBerry unregistered

Yeah, nice try.

posted on Aug 09, 2016, 6:49 AM

nctx77
Reply

5. nctx77

Posts: 2540; Member since: Sep 03, 2013

If this was Apple Pay........

posted on Aug 09, 2016, 6:55 AM

tedkord
Reply

8. tedkord

Posts: 17454; Member since: Jun 17, 2009

Apple would deny it, and fans would be on full defense.

posted on Aug 09, 2016, 7:58 AM

Settings
Reply

9. Settings

Posts: 2943; Member since: Jul 02, 2014

...it could've been less worse.

posted on Aug 09, 2016, 7:59 AM

Unordinary unregistered
Reply

11. Unordinary unregistered

Except it runs theu Secure Enclave and.. nvm. Just go educate yourself. Lol

posted on Aug 09, 2016, 8:51 AM

ph00ny
Reply

6. ph00ny

Posts: 2066; Member since: May 26, 2011

But MST payment is only active when you turn it on. It doesn't work even when the app is on without being on the payment screen. This sounds awful like the guys that are saying chip based credit cards are vulnerable when they meet some ridiculous set of conditions

posted on Aug 09, 2016, 7:48 AM

Unordinary unregistered
Reply

10. Unordinary unregistered

In theory? Ill worry when its not theoretical

posted on Aug 09, 2016, 8:50 AM

xondk
Reply

12. xondk

Posts: 1904; Member since: Mar 25, 2014

Every payment method is subject to fraud possibilities, every single one. It all comes down to how practical it is to actually happen RL, one thing is a technical 'break' another thing is actually doing it irl, this, seems unlikely. As like most transactions these would still easily be able to raise alerts, most credit companies can disallow purchases from other countries and whatnot, heck with stores and whatnot having surveillance, this seems unlikely to be an issue. Course they might make it more likely who knows, but at current moment, seems not so.

posted on Aug 09, 2016, 8:53 AM

airisoverrated
Reply

13. airisoverrated

Posts: 55; Member since: Jun 08, 2012

So he does indeed have to initiate the signal on his phone using a fingerprint or code. You can't see him do it exactly but you see the app start "broadcasting" for lack of a better term. As a frequent user I can tell you that's ultimately the last step before a purchase. So main take away for app users is don't authenticate until you are literally paying at that moment (clearly important to avoid scimming), and avoid starting a "broadcast" and then canceling it as the token is good for 24 hours. Plus he got the notification that he made a purchase (this was a nice addition to the app). If you see a notification for a purchase you didn't make call your credit card company right away. Ultimately there are easier ways to scam a card. Maybe not as secure as a chipped card, but probably safer than using your regular card.

posted on Aug 09, 2016, 2:05 PM

view all comments
Want to comment? Please Log in or sign up.

Featured stories

Best-mid-range-400-500-dollar-affordable-flagships-phones
Best mid-range "$400-$500 flagship" phones this year
Best-Black-Friday-MEGA-deals-Apple-Samsung-LG-Target-Best-Buy-Walmart-T-Mobile-and-more
Best Black Friday MEGA deals: Apple, Samsung, LG, Target, Best Buy, Walmart, T-Mobile, and more
walmart-black-friday-deals-iphone-xs-iphone-11-galaxy-s10-note-10-plus
Walmart reveals full list of Black Friday deals, massive iPhone 11 and Note 10+ discounts included
Verizon-Motorola-Razr-price-availability
The reimagined Motorola Razr goes official as a Verizon exclusive
Pixel-4-XL-iPhone-11-Pro-Galaxy-Note-10-LG-G8X-portrait-camera-test-review
Pixel 4 XL vs iPhone 11 Pro vs Galaxy Note 10+ vs LG G8X: Which phone takes the best portrait photos?
How-Verizon-customers-get-free-Disney-Plus-starting-tomorrow
Here's how eligible Verizon subscribers can claim one free year of Disney+
Pixel-4-XL-hate-misses-the-point-this-is-the-best-performing-Android-phone-of-2019
Pixel 4 XL bashing misses the big picture: here is why I think this is the best Android phone of 2019
smartphone-colors-design-insights-motorola-executive-interview
How do you design a phone? Motorola's VP of Design gives us a peek behind the scenes

Popular stories

T-Mobiles-prepaid-5G-network-plan-prices
T-Mobile's prepaid 5G plan prices leak, and they are 'network launch' low
Dish-might-drop-over-2-million-low-income-customers-after-Boost-acquisition
Dish will reportedly drop 2.5 million low income customers after buying Boost Mobile
att-calls-t-mobile-un-carrier-moves-marketing-stunts
AT&T goes for T-Mobile's jugular, labeling the latest 'Un-carrier' moves 'marketing stunts'
ATT-seeks-to-move-grandfathered-customers-into-costlier-plans
AT&T moves grandfathered subscribers into pricier plans unilaterally
Pixel-4-XL-hate-misses-the-point-this-is-the-best-performing-Android-phone-of-2019
Pixel 4 XL bashing misses the big picture: here is why I think this is the best Android phone of 2019
This-is-the-flexible-Motorola-RAZR-2019-notch-carbon-fiber-and-all
The flexible Motorola RAZR 2019 leaks in full with notch, carbon, and all
T-Mobile-Black-Friday-2019-deals-ad-sales
T-Mobile Black Friday 2019 deals
Best-Black-Friday-MEGA-deals-Apple-Samsung-LG-Target-Best-Buy-Walmart-T-Mobile-and-more
Best Black Friday MEGA deals: Apple, Samsung, LG, Target, Best Buy, Walmart, T-Mobile, and more

Hot phones

Latest Stories

View more
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.