In a presentation given at Defcon, an ethical hacker named Salvador Mendoza highlighted what he believed to be major vulnerabilities associated with the Samsung Pay mobile payment service. He claims that the Samsung Pay service can be misused if payment tokens are skimmed. Samsung has responded to claims made by Mendoza, and has said that even though it is possible to exploit the vulnerability, it is an extremely difficult task to pull off.
In his presentation, Mendoza has shown how the payment tokens that are generated during the usage of Samsung Pay can be intercepted or (less credibly) even be fabricated by hackers to exploit users of Samsung’s mobile payment service.
Mendoza’s presentation showed how the payment tokens can be skimmed or intercepted. Tokens are sent from the mobile device to the payment terminal, implying the hacker needs to be standing close by. Since the tokens are single-use only, and expire within 24 hours, the payment will need to be halted after authentication for the token to remain valid and be misused. He even claims that the payment token generated by the South Korean company can be hypothetically figured out, and then used to develop tokens that can make purchases. However, Mendoza does not say he was able to generate any fake tokens himself.
Samsung in an FAQ responds to Mendoza’s Defcon presentation says that “token skimming” can be exploited, however, “multiple difficult conditions must be met”, which include close proximity to the user – as MST is a very short range communication system. The hacker will also have to either jam the signal before it reaches the payment terminal for the token to remain usable, or, somehow trick the user to stop the transaction after authentication. If despite all this, a hacker manages to get hold of a usable payment token, as soon as a transaction is made with it, the user will be notified on the associated smartphone – allowing them to alert authorities. As The Verge points out however, the entire process could be as simple as “setting up a fake payment terminal in a shop.”
The company has further clarified that the entire process of stealing and using payment tokens can apply to other payment systems as well – something that Mendoza himself admits to ZDNet – such as debit, credit, and payment cards.
As for the claim that hackers will be able to generate their own Samsung Pay payment tokens after analysing patterns, Samsung responded by saying, “It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms.”