The security researcher Salvador Mendoza has discovered a flaw in the Samsung Pay system that could be exploited by hackers to remotely skim credit cards. The attackers can steal Samsung Pay tokens and use them in another device to make fraudulent transactions.
Samsung Pay is a contactless payment system that comes standard in many modern Samsung smartphones. The system relies on tokens that have been designed to securely include credit card data, but evidently something goes wrong.
The bug affects the tokenization process, it could allow attackers to predict the sequencing of the tokens.
Those tokens can be stolen by attackers and used in other hardware to make fraudulent transactions without any restrictions.
As a proof-of-concept, Mendoza sent a token to one of his friends in Mexico who would use it with magnetic spoofing hardware to buy something.
Below a video PoC of the hack:
Mendoza also explained that the theft of Samsung Pay can be very easy, said Mendoza.
“Mendoza built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someone’s phone, which can then email the token to his inbox, so he can compile it into another phone.” Wrote Zack Whittaker for Zero Day.
“Or, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.”
In his PoC Mendoza loaded a token into the MagSpoof device, that is a tiny device that can spoof/emulate any magnetic stripe or credit card. The MagSpoof device was designed by the popular hacker Samy Kamkar (@SamyKamkar), it can work wirelessly, even on standard magstripe/credit card readers.
The tiny gadget dubbed MagSpoof is a credit card/magstripe spoofer and can be used also at non-wireless payment terminals, it is composed of a microcontroller, motor-driver, wire, a resistor, switch, LED, and a battery.
Mendoza confirmed that every credit card, debit card or prepaid card is vulnerable to his attack, meanwhile, gift cards are not impacted because Samsung Pay relies on a scanned barcode rather than a transmitted signal.
“Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,” the Samsung spokesperson said.
“If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue,”
Samsung Pay is considered safer than payment cards because it transmits one time use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.
Frequently asked questions on this statement may be found here.
For additional information on Samsung Pay Security, please visit here.
(Security Affairs – Samsung Pay , hacking)