Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Samsung Pay reportedly has security flaws, as serious as POS security flaws, that could help hackers skim credit cards wirelessly and make fraudulent transactions.
Security researcher Salvador Mendoza, who has discovered the limitations in Samsung Pay’s security, has explained that these limitations could be used by a hacker in any other phone to make fraudulent payments.
Many new Samsung phones have a magnetic-based contactless payment system which converts credit card data into tokens. This is done to prevent stealing of credit card numbers by hackers. But these tokens can be stolen and then used in other hardware by any hacker to make fraudulent purchases or payments.
Salvador Mendoza, who is a is a computer science college student, is a researcher too. He had made a presentation on this issue pertaining to Samsung Pay at the Black Hat 2016 conference in Las Vegas, has made it clear that the system of generating tokens is not as secure as we might believe it to be. The tokenization process gets weaker once the first token is generated from a specific card. Thus it might become easy to predict the consequent tokens from that card.
Thus any hacker can easily steal a token from a Samsung Pay device and use it in other hardware to make fraudulent transactions. Works almost like identity theft of sorts, isn’t it?
Salvador Mendoza describes this in a YouTube Video, which is in Spanish and with English subtitles, as to how the Samsung Pay flaw can be exploited. He demonstrates it using a Samsung Galaxy S6 device. A contraption strapped to the forearm is used by him to wirelessly procure the tokens, which can then be emailed to his inbox. He explains that the tokens thus procured can be compiled into another phone to make a purchase. He also demonstrates how purchases can be done by loading the token into a crude, home-made MagSpoof device.
In his Black Hat presentation, Salvador Mendoza says- “With Magspoof, I successfully made purchases with tokens obtained from Samsung Pay. However, I could not reuse them. Every token that goes through, it is burned. So there is no way to reuse it repeatedly. However, an attacker could try to guess the last 3 digits of the next token. Analyzing many entries, an attacker can narrow to a small range of possible for future tokens.”
He also discusses another scenario in his presentation- “Another possible scenario could be If a Samsung customer tries to use Samsung Pay but something happens in the middle of the transaction, and this does not go through, that token still alive. Meaning that an attacker could jam the transaction process to make Samsung Pay failed and force it to generate the next token. So the attacker will be able to use the previous tokenized number to make a purchase without any restrictions”.
Salvador Mendoza also suggests solutions for the issue in his presentation- “Samsung Pay has to work harder in the token’s expiration date, to suspend them as quickly as possible after the app generates a new one, or the app may disposed the tokens which were not implemented to make a purchase. Also Samsung Pay needs to avoid of using static passwords to “encrypt” its files and databases with the same function because eventually someone would be able to reverse it and exploit them. The databases are very sensitive. They contains delicate information to update token status, server connections instructions and validation certificates.”
This definitely is something to be taken seriously, as seriously as POS security and identity theft.
Tags: identity theft,POS security
Reading Time: 3 minutes Cybercriminals not only steal credentials or infect computers with malware. They also hunt for users’ personal data, including passports and IDs, physical addresses, phone numbers and much more. These cybercrimes can be classified as identity theft: utilizing the stolen data, crooks impersonate the victims to provide malicious activity. The perpetrators use a variety of cunning…
Reading Time: 3 minutes Yahoo has been hacked. LinkedIn has been hacked. Accounts have been stolen. Identities have been stolen. Identity theft is said to have taken place when personally identifying information such as your name, date of birth, credit card details, bank account information, passwords, PINs or Social Security Number have been stolen and used for committing fraud…
Reading Time: 3 minutes Most of the people we recently spoke to on the streets of New York didn’t know that around 50,000 new malware are created daily. We concluded that most people just don’t give it a lot of thought. But it’s important to realize just how many malicious attackers want to steal your credit card numbers, identity…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP