clock menu more-arrow no yes

Filed under:

Samsung Pay hack lets attackers skim cards to make fraudulent payments

New, 20 comments

Contactless mobile payments come as standard in Samsung's latest Galaxy smartphones, but a hacker has found a way to intercept their signals. In a presentation given at Defcon, Salvador Mendoza outlined a number of attacks targeting Samsung Pay, with the smartphone maker responding that it knew about this flaw, but that such attacks are "extremely difficult" to pull off.

The attacks outlined by Mendonza focus on intercepting or fabricating payment tokens — codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. They expire 24 hours after being generated and are single-use only.

Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user's smartphone. This would require a user to authenticate — but not complete — a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay. You can see this method in action in a video by Mendoza below:

In his presentation, Mendoza also claims to have found patterns in Samsung's method of token generation, allowing a hacker to hypothetically make their own new, usable tokens. Mendoza suggests that this is possible ("If an attacker analyzes the tokens very carefully, he/she could implement a guessing method") but does not say if he's managed to generate any fake tokens himself.

In a blog post, Samsung refuted this part of Mendoza's presentation, saying: "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials." However, in an attached FAQ, the company admits that in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card.

The difficulty, as Samsung describes it, is that the attacker must be physically close to the target while they are making a legitimate purchase. This might mean mean waiting for someone to buy something in a shop, jamming the signal between the smartphone and the payment terminal, skimming the token from their phone, and then using that token before the user completes their intended purchase. Samsung describes this process as "extremely difficult," but it could be as simple as setting up a fake payment terminal in a shop.

The mobile company says it and the payment firms it works with deemed this issue an "acceptable" risk, and if their overview is correct, it's certainly no more a danger to users than other methods of credit card fraud. Mendoza told ZDNet that "every credit card, debit card, or prepaid card from any affiliated bank" is susceptible to the same attack. That doesn't mean it's not an oversight, though. After all, what's the point in creating new payment systems if they simply replicate the flaws of the old ones?