Samsung Pay security hole allows hackers to steal tokens

Samsung Pay, one of the best mobile payment system by Samsung uses the Tokens to make purchases using the technology. Tokens are randomly generated virtual payment details, which never stores or unveils the Card details. The Token details are encrypted and could be decrypted only by the authorised machines for authorised purchases. The tokens are automatically generated at a time, and when we make an attempt to have a purchase, it again generates another token. It generate the token every time we open the Samsung Pay App, without initiating any payment procedures. This seems like a secure option, at first sight.

The security researcher Salvador Mendoza states that the Samsung Pay is not at all secure. According to him, the tokens remains active after even after closing the session, and it is a flaw which lets the hackers in. Also he made a a demonstration video describing how he found the vulnerability to get into the hole. He obtained the tokens collected using a skimmer and loaded it into a module named MagSpoof. And he was able to make purchases using that.

Followed by his post, Samsung had announced an official statement regarding the security strength of Samsung Pay, as follows :

” The possibility of a Samsung Pay user transmitting a payment token using user authentication such as fingerprint, having a fraudster capture the data on a separate device, and the fraudster relaying the token at a credit card reader for a successful transaction is extremely unlikely. In order for this “token skimming” to work, multiple difficult conditions must be met. First the user must permit the token and cryptogram generation with his or her own authentication method. This pair of token and cryptogram (also known as a “payment signal”) must be transmitted to the POS for each transaction and cannot be used for multiple transactions.

Then the fraudster needs to capture the signal on a device that is within very close proximity to the Samsung phone. Due to the short-range nature of MST, it is difficult to capture the payment signal. Even if the fraudster was able to capture the signal, the fraudster would have to ensure that the original payment signal of the legitimate user does not get to the issuer for approval. Otherwise the captured signal would be useless. Ensuring this may require the fraudster to jam the connection between the phone and POS terminal or to quickly complete the transaction before the legitimate user’s signal reaches the payment terminal and the card issuer. Because users typically permit the cryptogram generation just before their payment at the POS, these conditions would be very difficult to meet in practice. When any transaction happens, the legitimate Samsung Pay user would get immediately a Samsung Pay transaction notification on the smartphone screen. The users would take any necessary action with his or her issuer with payment transaction including un-familiar one. In summary, Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token. “

But today, Salvador Mendoza uploaded a new uncut video, which shows the complete steps he took for making purchases using the “stolen” tokens from his own Galaxy S6 device, even without taking his phone. After he made the purchase, the phone received a notification from Samsung Pay App shows the complete transaction details.

It is very clear that the Samsung Pay affects some security threats as the Mendoza showed, so we could expect that the Samsung will fix the error soon.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.