Samsung Pay Token Flaw Allows Hackers to do Fraud Transactions??

By | August 8, 2016

Samsung Pay Service

Security researcher has discovered several security issues in the Samsung Pay mobile payment service, It includes a vulnerability in Samsung Pay mobile service that can be exploited to make fraudulent transactions.

Samsung Pay service provide users a digital wallet where they can keep their plastic credit, debit, gift, loyalty and membership cards. When customers want to use one of their cards, they simply select it, enter their PIN or scan their fingerprint, and hold their smartphone near the card reader.

Security researcher Salvador Mendoza shared results in Black Hat security conference as per his analysis.

According to the results

The expert discovered static passwords used to protect databases, weak obfuscation, and comments in the code – all of which could eventually allow a clever attacker to access sensitive data.

Mendoza also noticed that the mobile application uses tokens to perform transactions instead of the actual card data – this ensures that the original card data is not exposed. A new token is generated for each transaction and, according to the researcher, an attacker might be able to predict future tokens based on previously used tokens.

Another attack method, which the expert has managed to put into practice, is related to unused tokens. Each token is invalidated after the transaction is completed. However, if for some reason the transaction is not completed, the token remains valid for one day, even after a new token is generated.

If attackers can obtain unexpired tokens, they can use them to make transactions without needing the victim’s smartphone. Mendoza created a small device, one that can be attached to a person’s wrist, that can capture tokens from nearby phones running Samsung Pay. In a scenario described by the expert, the attacker asks the victim to show them how the mobile payment system works, a process in which a token is generated, but remains unused.

The captured token can then be added to a device such as MagSpoof, an open source wireless credit card and magstripe spoofer created by researcher Samy Kamkar. MagSpoof can emulate a traditional magnetic stripe card by generating a strong electromagnetic field.

Samsung denied this flaw

According to the statement given by Samsung, they denied this flaw represented in the Black Hat Security Conference.

Keeping payment information safe is a top priority for Samsung Pay which is why Samsung Pay is built with highly advanced security features. It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms.

Samsung Pay is considered safer than payment cards because it transmits one time use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.

For additional information on Samsung Pay Security, please visit here.

Subscribe for latest security updates