Samsung Pay exploit could allow hackers to “skim” credit cards, in theory
There's a clever security technique built into Samsung's mobile payments service. When you make a purchase with Samsung Pay, you don't reveal any of your payment card info to the merchant because each transaction is tokenized. Tokenization is the process of obfuscating the user's actual payment card number by replacing it with a virtual one called a token. The generated token is used for sending the transaction to the card's payment network, where it is decrypted and the transaction is authorized. The user's actual payment card information is not revealed to the merchant and is not stored on Samsung's servers. That's good and all, but “security researcher” Salvador Mendoza claims that he has found a security flaw in the system that could allow fraudsters to steal tokens from users of Samsung Pay and make purchases with them.
Apparently, every time the Samsung Pay app is opened, even without initiating a transaction, it automatically generates a token. If the user initiates a purchase, that generates another token even if the purchase is canceled. The problem here, Mr. Mendoza claims, is that all these generated tokens remain active even after the session ends. This means that they can still be used for purchases, although not on the device they were generated on, if they were to be intercepted by a third party in the span of 24 hours (that's how long they remain active).
In the video below, Mendoza demonstrates how tokens can be easily collected with a skimming device attached to his wrist. After obtaining a token, he then loads it into a tool called “MagSpoof”, which he uses to make a purchase with.
Samsung has since issued an official statement on the matter, admitting that such attacks are possible, but maintaining that they would be “extremely difficult” to pull off:
This statement was issued by Samsung two days ago, on August 7. Earlier today, Mendoza uploaded a new “uncut” video on his YouTube channel, again demonstrating the same security flaw. As far as the video goes, Mendoza does not touch on the topic of user authentication at all. Furthermore, since there is no other way of transmitting a payment token without some sort of authentication – be it a password or a fingerprint – he seemingly authenticates the app himself while the phone is off camera for a second and mentions nothing of it. After that, he quickly manages to “capture” a token and successfully completes a purchase with it – swiftly receiving a notification from Samsung Pay on his phone – demonstrating yet again that there is a hole in the security system.
In any case, we wouldn't worry ourselves too much over this exploit, given all the requirements that have to be met in order for fraudsters to steal our precious tokens. Still, we are glad that Mr. Mendoza has brought this security flaw to light, and we certainly hope that Samsung does its best to resolve the issue.
source: Salvador Mendoza (YouTube) via ZDNet