Hacker shows how it's possible to intercept Samsung Pay tokens and use them for purchases

By Jos
Aug 9, 2016
Post New Reply
  1. A recently discovered bug in Samsung Pay could allow hackers to intercept tokens generated by the contactless payment system and use them to make fraudulent payments. A proof of concept exploit was detailed by Salvador Mendoza during a Black Hat talk in Las Vegas.

    The problem lies within Samsung Pay’s tokenization process, in which credit card data is obfuscated in order to ensure it’s not shared with the merchant or with Samsung itself during a purchase. These tokens are automatically generated when the user initiates the purchase. However, if the purchase is not completed, the token will still remain active for 24 hours even after the session ends. If the user initiates a new purchase a new token will be generated.

    In the video below Mendoza demonstrates how it’s possible to use a concealed skimming device to obtain the token as it’s generated. He then loads it into a tool called MagSpoof, which he uses to make a purchase with on a vending machine.

    Of course, in a typical situation a token would only be useful for a few seconds before it is used to authorize an actual payment. Samsung acknowledges the problem but says such attacks are "extremely difficult" to pull off because of this.

    However, in a targeted attack, all it takes is some social engineering to get a user to unsuspectingly generate a token by authenticating but not completing a payment. Mendoza suggests that a hacker might trick the user by asking for a demo of Samsung Pay. Or with a little more access by setting up a fake payment terminal in a shop.

    What’s more, Mendoza claims Samsung Pay follows a pattern to generate tokens and once the initial payment token is intercepted, a user’s future tokens can be guessed and generated elsewhere. Samsung is refuting this last part noting “Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials.”

    Permalink to story.

  2. murray02

    murray02 TS Rookie

    LOL.... Samsung Pays tokenization is generated by MasterCard. They also do the tokenization for.... wait for it.... Apple Pay... So why is this only a Samsung Pay issue?

    Come on guys... little research to your topic?!

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...