Samsung Pay exploit could allow hackers to “skim” credit cards, in theory


There's a clever security technique built into Samsung's mobile payments service. When you make a purchase with Samsung Pay, you don't reveal any of your payment card info to the merchant because each transaction is tokenized. Tokenization is the process of obfuscating the user's actual payment card number by replacing it with a virtual one called a token. The generated token is used for sending the transaction to the card's payment network, where it is decrypted and the transaction is authorized. The user's actual payment card information is not revealed to the merchant and is not stored on Samsung's servers. That's good and all, but “security researcher” Salvador Mendoza claims that he has found a security flaw in the system that could allow fraudsters to steal tokens from users of Samsung Pay and make purchases with them.

Apparently, every time the Samsung Pay app is opened, even without initiating a transaction, it automatically generates a token. If the user initiates a purchase, that generates another token even if the purchase is canceled. The problem here, Mr. Mendoza claims, is that all these generated tokens remain active even after the session ends. This means that they can still be used for purchases, although not on the device they were generated on, if they were to be intercepted by a third party in the span of 24 hours (that's how long they remain active).

In the video below, Mendoza demonstrates how tokens can be easily collected with a skimming device attached to his wrist. After obtaining a token, he then loads it into a tool called “MagSpoof”, which he uses to make a purchase with.



Samsung has since issued an official statement on the matter, admitting that such attacks are possible, but maintaining that they would be “extremely difficult” to pull off:


This statement was issued by Samsung two days ago, on August 7. Earlier today, Mendoza uploaded a new “uncut” video on his YouTube channel, again demonstrating the same security flaw. As far as the video goes, Mendoza does not touch on the topic of user authentication at all. Furthermore, since there is no other way of transmitting a payment token without some sort of authentication – be it a password or a fingerprint – he seemingly authenticates the app himself while the phone is off camera for a second and mentions nothing of it. After that, he quickly manages to “capture” a token and successfully completes a purchase with it – swiftly receiving a notification from Samsung Pay on his phone – demonstrating yet again that there is a hole in the security system.



In any case, we wouldn't worry ourselves too much over this exploit, given all the requirements that have to be met in order for fraudsters to steal our precious tokens. Still, we are glad that Mr. Mendoza has brought this security flaw to light, and we certainly hope that Samsung does its best to resolve the issue.

source: Salvador Mendoza (YouTube) via ZDNet

FEATURED VIDEO

15 Comments

1. ctdog4748

Posts: 797; Member since: Mar 05, 2016

Samsung tends to have a very cavalier attitude when things go wrong, witness the S7 Active waterproof debacle. They've pretty much said "f-ck it" concerning that issue, hopefully they'll take this potential problem a LOT more serious, for the safety and security of those that use Samsung Pay. Here is the link to what I'm talking about regarding the S7 Active;http://www.sammobile.com/2016/08/09/galaxy-s7-active-owners-are-getting-the-short-end-of-the-stick/

2. NonFanBoy

Posts: 180; Member since: May 28, 2015

14. greyarea

Posts: 267; Member since: Aug 14, 2015

Solid independent source.

3. JMartin22

Posts: 2380; Member since: Apr 30, 2013

That was a manufacturing flaw in the production process that they have since fixed. They are proactive about addressing the issues. It's just usual company PR to downplay them.

7. tedkord

Posts: 17454; Member since: Jun 17, 2009

I know. What's next, telling users they're holding it wrong?

15. greyarea

Posts: 267; Member since: Aug 14, 2015

So it's a wash and neither company or their fans should acknowledge the issues? Both companies do poorly for their size IMO.

4. iWinAndroBerry unregistered

Yeah, nice try.

5. nctx77

Posts: 2540; Member since: Sep 03, 2013

If this was Apple Pay........

8. tedkord

Posts: 17454; Member since: Jun 17, 2009

Apple would deny it, and fans would be on full defense.

9. Settings

Posts: 2943; Member since: Jul 02, 2014

...it could've been less worse.

11. Unordinary unregistered

Except it runs theu Secure Enclave and.. nvm. Just go educate yourself. Lol

6. ph00ny

Posts: 2066; Member since: May 26, 2011

But MST payment is only active when you turn it on. It doesn't work even when the app is on without being on the payment screen. This sounds awful like the guys that are saying chip based credit cards are vulnerable when they meet some ridiculous set of conditions

10. Unordinary unregistered

In theory? Ill worry when its not theoretical

12. xondk

Posts: 1904; Member since: Mar 25, 2014

Every payment method is subject to fraud possibilities, every single one. It all comes down to how practical it is to actually happen RL, one thing is a technical 'break' another thing is actually doing it irl, this, seems unlikely. As like most transactions these would still easily be able to raise alerts, most credit companies can disallow purchases from other countries and whatnot, heck with stores and whatnot having surveillance, this seems unlikely to be an issue. Course they might make it more likely who knows, but at current moment, seems not so.

13. airisoverrated

Posts: 55; Member since: Jun 08, 2012

So he does indeed have to initiate the signal on his phone using a fingerprint or code. You can't see him do it exactly but you see the app start "broadcasting" for lack of a better term. As a frequent user I can tell you that's ultimately the last step before a purchase. So main take away for app users is don't authenticate until you are literally paying at that moment (clearly important to avoid scimming), and avoid starting a "broadcast" and then canceling it as the token is good for 24 hours. Plus he got the notification that he made a purchase (this was a nice addition to the app). If you see a notification for a purchase you didn't make call your credit card company right away. Ultimately there are easier ways to scam a card. Maybe not as secure as a chipped card, but probably safer than using your regular card.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.