Samsung Pay vulnerability to electronic skimming exposed


Security researcher Salvador Mendoza revealed last week that he has discovered a weakness in Samsung Pay security that could allow an attacker to skim credit card tokens. Once a token is grabbed by an attacker, it can be used on other phones to make fraudulent payments. The source of the weakness is found in the magnetic secure transmission (MST) technology which is unique to Samsung Pay and allows it to be used with standard card swipe hardware at retailer locations.

Mendoza discovered that Samsung’s tokenization process is the culprit. The tokens are generated so that Samsung Pay does not have to transmit actual credit card numbers from the device. However, the process is weak, especially after the first token is generated for any particular card, and is predictable. Given the wireless nature of MST and Samsung Pay, the tokens can be grabbed off a victim’s phone using skimmer type devices.

According to Mendoza, once a token is grabbed, it can be shared with other smartphones and used to make purchases. This was demonstrated by Mendoza who showed how he could steal a token and then send it to a friend in Mexico who was able to make a purchase despite Samsung Pay not being launched in Mexico yet. Mendoza indicates the only safe payment method is gift cards as Samsung Pay requires a barcode to be scanned instead of using wireless features. Otherwise, the attack will succeed against credit cards, debit cards, and prepaid cards issued by any banks affiliated with Samsung Pay.

Samsung has not responded to the report yet with any firm word on a fix for the vulnerability. Their response so far has been generic in nature noting Samsung Pay’s security features like encryption and the Samsung Knox platform while committing to “investigate and resolve the issue” like they do for all potential vulnerabilities they are made aware of.

Mendoza made the video below showing how he could grab a token and then use it. In an email last week and as part of a Black Hat appearance on August 4th he expanded on some of the security issues the weakness exposes.

source: ZDNet
via: SamMobile

About the Author: Jeff Causey

Raised in North Carolina, Jeff Causey is a licensed CPA in North Carolina. Jeff's past Android devices include an HTC EVO, a Samsung Note II, and an LG G3, and a Motorola Moto X Pure Edition along with a Samsung Galaxy Tablet 10.1. He currently uses a Samsung Galaxy S8 and (very rarely) a Nexus 7 (2013). He is also using a Verizon-branded Motorola Moto Z Play Droid supplied by his job. Jeff used to have a pair of Google Glass and a Moto 360 Sport in his stable of gadgets. Unfortunately, his wife and kids have all drunk the Apple Kool-Aid and have i-devices. Life at home often includes demonstrations of the superiority of his Android based devices. In his free time, Jeff is active in his church, a local MINI Cooper car club, and his daughter's soccer club. Jeff is married, has three kids, and a golden retriever.