A recently discovered bug in Samsung Pay could allow hackers to intercept tokens generated by the contactless payment system and use them to make fraudulent payments. A proof of concept exploit was detailed by Salvador Mendoza during a Black Hat talk in Las Vegas.
The problem lies within Samsung Pay’s tokenization process, in which credit card data is obfuscated in order to ensure it’s not shared with the merchant or with Samsung itself during a purchase. These tokens are automatically generated when the user initiates the purchase. However, if the purchase is not completed, the token will still remain active for 24 hours even after the session ends. If the user initiates a new purchase a new token will be generated.
In the video below Mendoza demonstrates how it’s possible to use a concealed skimming device to obtain the token as it’s generated. He then loads it into a tool called MagSpoof, which he uses to make a purchase with on a vending machine.
Of course, in a typical situation a token would only be useful for a few seconds before it is used to authorize an actual payment. Samsung acknowledges the problem but says such attacks are "extremely difficult" to pull off because of this.
However, in a targeted attack, all it takes is some social engineering to get a user to unsuspectingly generate a token by authenticating but not completing a payment. Mendoza suggests that a hacker might trick the user by asking for a demo of Samsung Pay. Or with a little more access by setting up a fake payment terminal in a shop.
What’s more, Mendoza claims Samsung Pay follows a pattern to generate tokens and once the initial payment token is intercepted, a user’s future tokens can be guessed and generated elsewhere. Samsung is refuting this last part noting “Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials.”