Possible Security Flaw Found in Samsung Pay
Salvador Mendoza, a security researcher, claims to have found a weakness in Samsung Pay’s security, which allows hackers to steal payment tokens and use them in another phone to complete fraudulent transactions.
Samsung Pay works by translating credit card data into a token so that hackers cannot steal credit card numbers from the phone. Mendoza told ZDNet that the tokenization process is limited though, so the sequencing can be predicted, which makes it easy to steal the token.
To steal the token, Mendoza built a machine he can strap to his forearm to intercept the magnetic secure transmission (MST) from someone’s phone. Then, he can email the token to his inbox in order to load it on to another phone. To test the token, Mendoza sent it to a friend in Mexico, and that person could use it with magnetic spoofing hardware to make a purchase–even though Samsung Pay is not available in Mexico.
Hackers could also hide the hardware next to a card-reading machine, just as they do with traditional credit card skimmers. Then, the hacker would just use a wireless magnetic stripe spoofer to load the data and buy products.
Mendoza said that “every credit card, debit card or prepaid card from any affiliated bank” could be stolen, but gift cards are safe, because Samsung Pay uses a barcode to be scanned rather than transmitting a signal.
For its part, Samsung said, “”If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”
The company also assured users of the service’s safety. “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform.”