In the just concluded Black Hat conference, a researcher revealed a flaw in Samsung Pay that might allow a hacker to hijack a payment. Unfortunately, Samsung response to the findings of the researcher was not professional at all.
Salvador Mendoza, the security researcher who revealed the Samsung Pay Flaw, said that the method used by Samsung to tokenize credit card and debit card data could be hijacked before reaching the payment terminal. But the most worrying thing is that the researcher claims the tokens can be predicted or guessed. In a video to proof his concept, Mendoza demonstrated how an attacker could use the tokens stolen from Samsung pay for fraudulent transactions. The video is available on YouTube.
The payment, tokens, which are generated by the user’s smartphone are null and void after only 24 hours. However, an attacker can do so much harm in less time. Mendoza demonstrated how an attacker could use a card skimming device such as Magspoof to skim token data from the user’s smartphone. To pull off such an attack, the user must initiate a payment, but not complete it. A heinous attacker might play dumb and ask the victim to demonstrate how Samsung Pay works.
Mendoza also claimed that the method of token generation has patterns that can be guessed, thereby allowing a hacker to make their tokens. But Mendoza acknowledged the difficulty of such an attack, saying that the attacker would have to analyze the token generation carefully. Moreover, Mendoza did not clearly state if he was able to guess a token himself.
Samsung disputed all claims by this researcher. In a blog post, Samsung said that “Samsung does not use the algorithm or predictable pattern presented in the Black Hat presentation, to protect an encrypt payment data.” However, the company admits that it was possible for an attacker to skim token data from a user’s phone in the process of payment.
But skimming token data from the phone is a difficult process altogether. The attack would require a hacker to identify a victim who is ready to make a purchase. They would have to be very close to the victim. Then, the attacker would have to jam the signal between the Samsung phone and the payment terminal, skim the token from the phone, and use the token before the authentic user can complete the purchase themselves. Ina nutshell, the attack is extremely difficult to pull but not impossible considering an attacker could set up a fake payment terminal.
Samsung indicates that it is aware of the problem, and together with the payment firm it collaborates with they deemed the flaw an acceptable risk. Mendoza, also, acknowledges that the risk is present in most debit cards, prepaid cards, and credit cards.
As much this flaw is “an acceptable risk” Samsung should patch it as soon as possible before their clients fall victims to attacks related to it.