Samsung Pay hack lets attackers skim cards to make fraudulent payments

Contactless mobile payments come as standard in Samsung's latest Galaxy smartphones, but a hacker has found a way to intercept their signals. In a presentation given at Defcon, Salvador Mendoza outlined a number of attacks targeting Samsung Pay, with the smartphone maker responding that it knew about this flaw, but that such attacks are "extremely difficult" to pull off.

The attacks outlined by Mendonza focus on intercepting or fabricating payment tokens — codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. They expire 24 hours after being generated and are single-use only.

Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user's smartphone. This would require a user to authenticate — but not complete — a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay. You can see this method in action in a video by Mendoza below:

In his presentation, Mendoza also claims to have found patterns in Samsung's method of token generation, allowing a hacker to hypothetically make their own new, usable tokens. Mendoza suggests that this is possible ("If an attacker analyzes the tokens very carefully, he/she could implement a guessing method") but does not say if he's managed to generate any fake tokens himself.

In a blog post, Samsung refuted this part of Mendoza's presentation, saying: "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials." However, in an attached FAQ, the company admits that in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card.

The difficulty, as Samsung describes it, is that the attacker must be physically close to the target while they are making a legitimate purchase. This might mean mean waiting for someone to buy something in a shop, jamming the signal between the smartphone and the payment terminal, skimming the token from their phone, and then using that token before the user completes their intended purchase. Samsung describes this process as "extremely difficult," but it could be as simple as setting up a fake payment terminal in a shop.

The mobile company says it and the payment firms it works with deemed this issue an "acceptable" risk, and if their overview is correct, it's certainly no more a danger to users than other methods of credit card fraud. Mendoza told ZDNet that "every credit card, debit card, or prepaid card from any affiliated bank" is susceptible to the same attack. That doesn't mean it's not an oversight, though. After all, what's the point in creating new payment systems if they simply replicate the flaws of the old ones?


About that skimming part, how does Apple Pay for example get around it? The way I see it now, it should also be vulnerable.

From what I understand, Samsung Pay and Apple Pay work quite differently when it comes to traditional swipe machines. I have heard that Samsung Pay actually works with traditional swiping machines and does not require a special POS system to work. I’m guessing the exploit has something to do with exploiting that type of transaction… maybe.

Payment Processor issued tokens. Any attempted transaction would result in a pass/fail on that token, but regardless of result would disallow that token to be re-used. (Same with Chip)

Vulnerability is basically just a standard replay attack.

Apple Pay uses NFC, so does Android Pay. Samsung Pay uses MST as well as NFC. MST stands for Magnetic Secure Transmission, essentially it emulates a card swipe. It is vulnerable to card skimmers just as any regular credit card is with the magnetic strip. NFC however is not vulnerable to card skimmers of any kind as it’s a different technology entirely, and it is 2 way, meaning the device and the reader both send and receive data. I think I had read that, like chip cards, NFC is supposed to use challenge-and-response authorization so that you can’t replay the data even if you get a good read on the data transferred in NFC (which should really be encrypted anyway). Also another key difference is that this attack relies on replaying tokens generated and not used. NFC payments know when the token is used pretty quickly (because of the two way communication), while MST does not necessarily know when the token will get used (the payments with a card reader can lag for a while), once the payment with the token goes through then the token is no longer able to be used, but an unused token is valid for 24 hours with Samsung Pay, this is why it’s vulnerable.

Thanks! I didn’t know Samsung Pay emulates magstripes! It makes sense now.

Thank you also to the other two commenters above!

Just to clarify. The victim must be in payment mode for this attack to work. So as the article points out, they would have to intercept it, which would be difficult. Additionally, as the article mentions each token that is harvested can only be used once. The reality of the situation is that it doesn’t matter whether it’s MST or NFC. Harvesting can occur on both technologies. Taking it a step further. Android Pay activates when near NFC, meaning that if your phone was unlocked, and someone came by with an nfc reader (like on a train) they could skim a token. However, with samsung, Samsung Pay must be activated…

In the end, the most interesting component of the article is the supposed ability to guess the next credential, which just isn’t true. He is probably assuming that just by guessing the ATC one can predict the next credential, and that’s not correct – it’s much more sophisticated than that. (ATC is application transaction counter, and is a security feature used in your new credit cards that have a chip.) Finally, this type of attack isn’t feasible at scale which is really all that matters. Every product has very rare and occasional fraud – it just depends on the type (of fraud).

Source: I work in Fraud at one of the major payment brands

Taking it a step further. Android Pay activates when near NFC, meaning that if your phone was unlocked, and someone came by with an nfc reader (like on a train) they could skim a token.

If they skim the token, wouldn’t the reader then have to enact a payment in order to use it? NFC is different than MST in that it communicates 2 ways with the reader so it could in theory expire the token if it doesn’t get the payment through (although I don’t know if it actually does this). If the attacker needs to enact a transaction then Android Pay would pop up on the person’s phone and they would see it and be able to call Google and report the fraud. MST however requires that it let the token stay valid for 24 hours because of the older credit card infrastructure it uses.

Not sure why people say it is super difficult. A fraudster can just attach their intercepting device to a cash register machine/payment terminal unnoticed, and be done.

Thanks mate for the explanation.

Referring to the process as ‘extremely difficult’ and the flow as an ‘acceptable risk’ is Samsung basically issuing a challenge.
Good luck with that Samsung… I’m going to watch 90’s X-Men on Netflix while someone proves you wrong.

What??? I can’t find it anywhere on Netflix. I would be that show in a heartbeat if available. That and 90’s spiderman.

Well for someone to "hack" a user would have to be using a terminal using the MST part and not NFC. The "hacker" would have to be standing next to you to hold a scanner close enough to your device and credit card terminal to intercept the token. This is assuming they could decrypt the token. I would say that is not only extremely difficult but pretty close to impossible to hack. And if someone is stupid enough to get hacked by demonstrating they Samsung pay or not noticing someone holding a scanner up to the credit card terminal honestly they deserve to lose their money. My guess is you wont stop watching X-men.

Not really. Here "difficult" can be replaced by "impractical." That’s not the kind of challenge anybody would want to consider.

Everything is hackable. The difference is the to what degree.

Kind of a misleading title is it not? They aren’t skimming a card (which can be re-used over and over again). It’s skimming a one time use token. Definitely not a good thing, but still not nearly as bad as skimming a physical card.

Quality information is hard to come by these days. Article titles and content area engineered, they’re not an honest representation of the truth.

And Samsung is saying it’s only as secure as a basic debit card. That doesn’t mean it’s somehow more vulnerable just because Samsung made it, which is what seems to be implied.

what a misleading title.

After reading the article I have failed to actually find the actual hack demonstrated. I was only lectured on a theoretical attack vector. Where is the actual hack? Bring it on, let’s see it.

Its click bait article. Typical Verge tactic.

View All Comments
Back to top ↑