Samsung Pay bakery

Update: Samsung has responded to this security concern, and coverage of their statement has been appended to the end of this report.

Although the exploit hasn’t been documented in the wild yet, security researchers have discovered a vulnerability in Samsung Pay that could be used to wirelessly steal credit card information.

This exploit was presented at a Black Hat talk in Vegas last week. Researcher Salvador Mendoza took to the stage to explain how Samsung Pay translates credit card data into “tokens” to prevent them from being stolen. However, limitations in the token-creation process mean that their tokenization process can be predicted.

Mendoza claims he was able to use token prediction to generate a token which he then sent to a friend in Mexico. Samsung Pay is not available in that region, but the accomplice was able to use the token to make a purchase using the Samsung Pay app with magnetic spoofing hardware.

So far, there’s no evidence of this method actually being used to steal private information, and Samsung has yet to confirm the vulnerability. When made aware of Mendoza’s exploit, Samsung said that, “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.” The Korean tech titan reemphasized that Samsung Pay uses some of the most advanced security features available and that purchases made with the app are safely encrypted using the Samsung Knox security platform.


Update: Samsung has issued a press statement in response to these security concerns. In it, they acknowledge that Mendoza’s “token skimming” method can, in fact, be used to make illegal transactions. However, they stress that “multiple difficult conditions must be met” in order to exploit the token system.

In order to obtain a useable token, the skimmer must be in very close range to the victim because MST is a very short-range communication method. Furthermore, the skimmer must either somehow jam the signal before it reaches the payment terminal or convince the user to cancel the transaction after it’s authenticated. Failing to do this will leave the skimmer with a worthless token. They are dubious of Mendoza’s claim that hackers could be able to generate their own tokens. In their words:

It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms.

Samsung says that the existence of this issue is an “acceptable” risk. They attest that the same methodologies can be used to make illicit transactions with other payment systems like debit and credit cards.


What are your thoughts regarding this latest reported vulnerability to mobile payment systems? All alarm with nothing substantial, or a security issue worth being concerned about? Give us your two cents in the comments below!

Comments
Read comments