Samsung Pay reportedly has security flaws, as serious as POS security flaws, that could help hackers skim credit cards wirelessly and make fraudulent transactions.
Security researcher Salvador Mendoza, who has discovered the limitations in Samsung Pay’s security, has explained that these limitations could be used by a hacker in any other phone to make fraudulent payments.
Many new Samsung phones have a magnetic-based contactless payment system which converts credit card data into tokens. This is done to prevent stealing of credit card numbers by hackers. But these tokens can be stolen and then used in other hardware by any hacker to make fraudulent purchases or payments.
Salvador Mendoza, who is a is a computer science college student, is a researcher too. He had made a presentation on this issue pertaining to Samsung Pay at the Black Hat 2016 conference in Las Vegas, has made it clear that the system of generating tokens is not as secure as we might believe it to be. The tokenization process gets weaker once the first token is generated from a specific card. Thus it might become easy to predict the consequent tokens from that card.
Thus any hacker can easily steal a token from a Samsung Pay device and use it in other hardware to make fraudulent transactions. Works almost like identity theft of sorts, isn’t it?
Salvador Mendoza describes this in a YouTube Video, which is in Spanish and with English subtitles, as to how the Samsung Pay flaw can be exploited. He demonstrates it using a Samsung Galaxy S6 device. A contraption strapped to the forearm is used by him to wirelessly procure the tokens, which can then be emailed to his inbox. He explains that the tokens thus procured can be compiled into another phone to make a purchase. He also demonstrates how purchases can be done by loading the token into a crude, home-made MagSpoof device.
In his Black Hat presentation, Salvador Mendoza says- “With Magspoof, I successfully made purchases with tokens obtained from Samsung Pay. However, I could not reuse them. Every token that goes through, it is burned. So there is no way to reuse it repeatedly. However, an attacker could try to guess the last 3 digits of the next token. Analyzing many entries, an attacker can narrow to a small range of possible for future tokens.”
He also discusses another scenario in his presentation- “Another possible scenario could be If a Samsung customer tries to use Samsung Pay but something happens in the middle of the transaction, and this does not go through, that token still alive. Meaning that an attacker could jam the transaction process to make Samsung Pay failed and force it to generate the next token. So the attacker will be able to use the previous tokenized number to make a purchase without any restrictions”.
Salvador Mendoza also suggests solutions for the issue in his presentation- “Samsung Pay has to work harder in the token’s expiration date, to suspend them as quickly as possible after the app generates a new one, or the app may disposed the tokens which were not implemented to make a purchase. Also Samsung Pay needs to avoid of using static passwords to “encrypt” its files and databases with the same function because eventually someone would be able to reverse it and exploit them. The databases are very sensitive. They contains delicate information to update token status, server connections instructions and validation certificates.”
This definitely is something to be taken seriously, as seriously as POS security and identity theft.