A flaw in Samsung Pay could be exploited to remotely skim credit cards

The security expert Salvador Mendoza demonstrated that is it easy to steal Samsung Pay tokens and reuse them to make fraudulent purchases.

The security researcher Salvador Mendoza has discovered a flaw in the Samsung Pay system that could be exploited by hackers to remotely skim credit cards. The attackers can steal Samsung Pay tokens and use them in another device to make fraudulent transactions.

Samsung Pay is a contactless payment system that comes standard in many modern Samsung smartphones. The system relies on tokens that have been designed to securely include credit card data, but evidently something goes wrong.

The bug affects the tokenization process, it could allow attackers to predict the sequencing of the tokens.

Those tokens can be stolen by attackers and used in other hardware to make fraudulent transactions without any restrictions.

As a proof-of-concept, Mendoza sent a token to one of his friends in Mexico who would use it with magnetic spoofing hardware to buy something.

Below a video PoC of the hack:

Mendoza also explained that the theft of Samsung Pay can be very easy, said Mendoza.

“Mendoza built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someone’s phone, which can then email the token to his inbox, so he can compile it into another phone.” Wrote Zack Whittaker for Zero Day.

“Or, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.”

In his PoC Mendoza loaded a token into the MagSpoof device, that is a tiny device that can spoof/emulate any magnetic stripe or credit card. The MagSpoof device was designed by the popular hacker Samy Kamkar (@SamyKamkar), it can work wirelessly, even on standard magstripe/credit card readers.

The tiny gadget dubbed MagSpoof is a credit card/magstripe spoofer and can be used also at non-wireless payment terminals, it is composed of a microcontroller, motor-driver, wire, a resistor, switch, LED, and a battery.

Mendoza confirmed that every credit card, debit card or prepaid card is vulnerable to his attack, meanwhile, gift cards are not impacted because Samsung Pay relies on a scanned barcode rather than a transmitted signal.

“Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,” the Samsung spokesperson said.

“If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue,”

UPDATE from Samsung Pay August 8, 2016

Statement on the allegation concerning Samsung Pay security

On August 7, 2016 by Samsung Mobile Security
Keeping payment information safe is a top priority for Samsung Pay which is why Samsung Pay is built with highly advanced security features. It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms.

Samsung Pay is considered safer than payment cards because it transmits one time use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.
Frequently asked questions on this statement may be found here.

For additional information on Samsung Pay Security, please visit here.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Samsung Pay , hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.