Save up to $1,200 on Galaxy Z Fold6!
Amazon Black Friday is here
Black Friday 2024 is a week early! Grab excellent discounts now.
00 days
00 hrs
00 mins

Samsung Pay exploit could allow hackers to “skim” credit cards, in theory

By
15comments
Google News Follow
Follow us on Google News
Samsung Android
Samsung Pay exploit could allow hackers to “skim” credit cards, in theory

There's a clever security technique built into Samsung's mobile payments service. When you make a purchase with Samsung Pay, you don't reveal any of your payment card info to the merchant because each transaction is tokenized. Tokenization is the process of obfuscating the user's actual payment card number by replacing it with a virtual one called a token. The generated token is used for sending the transaction to the card's payment network, where it is decrypted and the transaction is authorized. The user's actual payment card information is not revealed to the merchant and is not stored on Samsung's servers. That's good and all, but “security researcher” Salvador Mendoza claims that he has found a security flaw in the system that could allow fraudsters to steal tokens from users of Samsung Pay and make purchases with them.

Apparently, every time the Samsung Pay app is opened, even without initiating a transaction, it automatically generates a token. If the user initiates a purchase, that generates another token even if the purchase is canceled. The problem here, Mr. Mendoza claims, is that all these generated tokens remain active even after the session ends. This means that they can still be used for purchases, although not on the device they were generated on, if they were to be intercepted by a third party in the span of 24 hours (that's how long they remain active).

In the video below, Mendoza demonstrates how tokens can be easily collected with a skimming device attached to his wrist. After obtaining a token, he then loads it into a tool called “MagSpoof”, which he uses to make a purchase with.

Video Thumbnail


Samsung has since issued an official statement on the matter, admitting that such attacks are possible, but maintaining that they would be “extremely difficult” to pull off:

The possibility of a Samsung Pay user transmitting a payment token using user authentication such as fingerprint, having a fraudster capture the data on a separate device, and the fraudster relaying the token at a credit card reader for a successful transaction is extremely unlikely. In order for this “token skimming” to work, multiple difficult conditions must be met. First the user must permit the token and cryptogram generation with his or her own authentication method. This pair of token and cryptogram (also known as a “payment signal”) must be transmitted to the POS for each transaction and cannot be used for multiple transactions.

Then the fraudster needs to capture the signal on a device that is within very close proximity to the Samsung phone. Due to the short-range nature of MST, it is difficult to capture the payment signal. Even if the fraudster was able to capture the signal, the fraudster would have to ensure that the original payment signal of the legitimate user does not get to the issuer for approval. Otherwise the captured signal would be useless. Ensuring this may require the fraudster to jam the connection between the phone and POS terminal or to quickly complete the transaction before the legitimate user’s signal reaches the payment terminal and the card issuer. Because users typically permit the cryptogram generation just before their payment at the POS, these conditions would be very difficult to meet in practice. When any transaction happens, the legitimate Samsung Pay user would get immediately a Samsung Pay transaction notification on the smartphone screen. The users would take any necessary action with his or her issuer with payment transaction including un-familiar one. In summary, Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token.


Recommended Stories
This statement was issued by Samsung two days ago, on August 7. Earlier today, Mendoza uploaded a new “uncut” video on his YouTube channel, again demonstrating the same security flaw. As far as the video goes, Mendoza does not touch on the topic of user authentication at all. Furthermore, since there is no other way of transmitting a payment token without some sort of authentication – be it a password or a fingerprint – he seemingly authenticates the app himself while the phone is off camera for a second and mentions nothing of it. After that, he quickly manages to “capture” a token and successfully completes a purchase with it – swiftly receiving a notification from Samsung Pay on his phone – demonstrating yet again that there is a hole in the security system.

Video Thumbnail


In any case, we wouldn't worry ourselves too much over this exploit, given all the requirements that have to be met in order for fraudsters to steal our precious tokens. Still, we are glad that Mr. Mendoza has brought this security flaw to light, and we certainly hope that Samsung does its best to resolve the issue.

source: Salvador Mendoza (YouTube) via ZDNet

Recommended Stories

Loading Comments...

Popular stories

T-Mobile proves its mettle against Verizon and AT&T by doing for customers what rivals were unable to
T-Mobile proves its mettle against Verizon and AT&T by doing for customers what rivals were unable to
T-Mobile customers shopping online can get a free Pixel 9 by only paying taxes
T-Mobile customers shopping online can get a free Pixel 9 by only paying taxes
Best Buy is making you a Galaxy Tab S9 Ultra Black Friday offer you can't refuse
Best Buy is making you a Galaxy Tab S9 Ultra Black Friday offer you can't refuse
T-Mobile's epic Black Friday 2024 deals are here with free iPhones, Pixel 9s, Galaxy S24s, and more
T-Mobile's epic Black Friday 2024 deals are here with free iPhones, Pixel 9s, Galaxy S24s, and more
Google Maps helps thieves find their next target but you can stop them from making you a victim
Google Maps helps thieves find their next target but you can stop them from making you a victim
Best Buy is now selling the 512GB OnePlus 12 flagship at its killer Black Friday price
Best Buy is now selling the 512GB OnePlus 12 flagship at its killer Black Friday price

Latest News

At $150 off, the top-notch Sennheiser Momentum 4 are a must-have this Black Friday
At $150 off, the top-notch Sennheiser Momentum 4 are a must-have this Black Friday
CEO Carl Pei tells us how nothing became Nothing
CEO Carl Pei tells us how nothing became Nothing
Maximize your Galaxy Buds 3 Pro Black Friday savings with a big discount AND an Amazon gift card now
Maximize your Galaxy Buds 3 Pro Black Friday savings with a big discount AND an Amazon gift card now
Amazon boosts its Pixel 9 Pro Black Friday discount to $200 with 128 and 256GB storage
Amazon boosts its Pixel 9 Pro Black Friday discount to $200 with 128 and 256GB storage
Honor 300 Ultra leaks in high-resolution renders
Honor 300 Ultra leaks in high-resolution renders
Realme GT Neo7 tipped to pack insanely huge battery
Realme GT Neo7 tipped to pack insanely huge battery
FCC OKs Cingular\'s purchase of AT&T Wireless