Hacking Samsung Pay tokens…

A recently discovered bug in Samsung Pay could allow hackers to intercept tokens generated by the contactless payment system and use them to make fraudulent payments. A proof of concept exploit was detailed by Salvador Mendoza during a Black Hat talk in Las Vegas.

The problem lies within Samsung Pay’s tokenization process, in which credit card data is obfuscated in order to ensure it’s not shared with the merchant or with Samsung itself during a purchase. These tokens are automatically generated when the user initiates the purchase. However, if the purchase is not completed, the token will still remain active for 24 hours even after the session ends. If the user initiates a new purchase a new token will be generated.

Mendoza demonstrated how it’s possible to use a concealed skimming device to obtain the token as it’s generated. He then loads it into a tool called MagSpoof, which he uses to make a purchase with on a vending machine.

Of course, in a typical situation a token would only be useful for a few seconds before it is used to authorize an actual payment. Samsung acknowledges the problem but says such attacks are “extremely difficult” to pull off because of this.

However, in a targeted attack, all it takes is some social engineering to get a user to unsuspectingly generate a token by authenticating but not completing a payment. Mendoza suggests that a hacker might trick the user by asking for a demo of Samsung Pay. Or with a little more access by setting up a fake payment terminal in a shop.

What’s more, Mendoza claims Samsung Pay follows a pattern to generate tokens and once the initial payment token is intercepted, a user’s future tokens can be guessed and generated elsewhere. Samsung is refuting this last part noting “Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials.”


Source: TechSpot


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s