Mobile payment services are assumed to be easy to use and more secure than other payment services. The top tech giants like Google, Samsung, and Apple have introduced their mobile payment services to make your transactions more secure and reliable. There are some issues regarding the security and reliability of such kind of mobile payment services though, and such security issues were spotted in Samsung Pay. Recently, during a Black Hat talk in Las Vegas, security researcher Salvador Mendoza has discovered a flaw in the security of Samsung Pay, which allows the attacker to make fraud payments using victims’ phone. New Samsung phones come with a new magnetic-based contact-less payment system, which translates the credit card data into tokens so that the data on the card can’t be seen by a hacker.
According to Mendoza, however, those tokens aren’t much secured, and the tokenization process gets weaker and weaker as the app starts generating tokens, and after a certain point, the attacker is able to predict future tokens, without needing to gather any card information. Now those stolen tokens can be used in other hardware to make fraud transactions. To prove this, Mendoza sent a token to one of his friends from Mexico and then he spoofed it with the use of magnetic spoofing device which allows him to make transactions, even when Samsung Pay is not available in Mexico.
Asking how did you stole a token? Mendoza said that “He built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someone’s phone, which can then email the token to his inbox, so he can compile it into another phone. Or, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.”
Mendoza also said that “every credit, debit or prepaid card from any affiliated bank is affected by this kind of attack except the gift cards.” A spokesperson for Samsung said “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform. If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”
UPDATE: Samsung decided to reach out and once again re-iterate that Samsung Pay is extremely secure, they even briefly explained how it works, though they refused to comment on the report we were talking about in this article, which is probably the company’s policy. Either way, you can follow this link if you’d like to read Samsung’s official statement following security flaw reports.