Samsung Pay vulnerability can enable fraudulent payments

During the recent Defcon hacking conference, held last week in Paris, a hacker demonstrated how he could make fraudulent payments through Samsung Pay.

Samsung says it knew of this and considers it an acceptable risk. It claims the method is almost too difficult to pull off, and no different than fraud methods we see today with credit cards.

Before letting you decide if new payment systems should have the same flaws as the old ones, let’s dive into what the method really is.

According to the hacker, Salvador Mendoza, an attacker could intercept Samsung Pay tokens (codes generated by the smartphone that hold credit card information -- they expire within 24 hours and cannot be reused) and use them to make purchases.

Mendoza also says a hacker could actually make their own, usable tokens -- even though it’s a really long shot. "If an attacker analyses the tokens very carefully, he/she could implement a guessing method", he says.

Samsung was quick to react: "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials".

It did say that token skimming is a possibility. But it really is very difficult to pull off -- the attacker must be physically close to the victim -- at the moment of the purchase. Then, the attacker would need to jam the signal, skim the token and use it before the original transaction completes.

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.