As yet there is no official word from Samsung on this particular security issue with their mobile payment system, or whether it has been fixed, although they did give the following statement.
Advertisement
Samsung Pay works by transforming your credit card information into tokens, thus avoiding the “real” data to be stolen directly from your smartphone. Since payment tokens can only be used for one transaction, the skimmed token can only be used if you do not complete your Samsung Pay transaction.
According to researcher Salvador Mendoza, Samsung’s tokenisation process, which replaces payment card data with random symbols during transactions to render the data useless to thieves, is not as randomised as it could be, potentially allowing malicious hackers to ultimately guess future tokens.
The payment service works by translating credit card data into temporary tokens that are deactivated immediately after the transaction is made, supposedly so that hackers can not steal the information.
At this point Samsung hasn’t confirmed the vulnerability and there is no clear evidence that the app is actually being leveraged for credit card stealing purposes. They expire 24 hours after being generated and are single-use only.
Mendoza said that he managed to take advantage of the token predictions and create a token himself. To demonstrate this process, Mendoza provided a friend in Mexico with a token who was then able to use that token and a magnetic spoofing tool to make a Samsung Pay purchase despite the service not having launched in Mexico yet. As far as the video goes, Mendoza does not touch on the topic of user authentication at all. With a token skimmer hidden in his sleeve, the scammer would be able to intercept the Samsung Pay tokens as he demo’s the payment system on the user’s phone.
Advertisement
In any case, we wouldn’t worry ourselves too much over this exploit, given all the requirements that have to be met in order for fraudsters to steal our precious tokens.
