Samsung both denies and admits mobile payment vulnerability

Samsung said that reports of a vulnerability in Samsung Pay mobile payments were "simply not true" -- but also admitted that token skimming was, in fact, possible but difficult enough that the potential risk was acceptable

Security researcher Salvador Mendoza demonstrated a flaw in Samsung Pay at Black Hat last week, in which the tokens used to secure transactions could be predicted, and used to authorize fraudulent payments.

Samsung responded with a statement calling the report "simply not true."

"Samsung Pay is safe, secure and consumers can be assured that there is no known risk associated to using our payment service," the company said.

But then, in a separate, more detailed document, Samsung admitted that it is possible to capture a token, but said that it was extremely difficult to do so.

[ MISSED THE SHOW: Catch up on all that happened at Black Hat ]

"This skimming attack model has been a known issue reviewed by the card networks and Samsung Pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack," Samsung said.

The company did not respond to a request for additional information.

Mendoza posted a follow-up video on Tuesday, again demonstrating the vulnerability.

"I made this video without cutting or editing nothing from it making a transaction using MagSpoof," he said in a note posted along with the video. MagSpoof is an open-source application that lets users spoof magnetic stripe codes. "According to Samsung statement this transaction had to be declined. But it went through."

"They are not addressing the main problem," Mendoza told CSO Online.

In particular, the fact that an attack is difficult is not a particular barrier in a world where criminals routinely package and sell ready-to-go exploits to one another.

"An attacker has to prepare a complete scenario to be successful," he said. "But that does not mean that it is complex or expensive. Basically, each tool that I made costs around $50. So many people with computer science knowledge could make something similar."

He added that he notified Samsung about the issue in May, and the company asked him for more details about the vulnerability.

"The communication was fluent and adequate," he said. "After many emails, I sent my presentation a couple of weeks before Black Hat. But after that, they did not respond any more related to the issues."

Jonathan Sander, vice president of product strategy at Lieberman Software

"I've seen Mendoza's research, and watched the videos, and it seems like he's got a pretty airtight case, that's for sure," said security expert Jonathan Sander, vice president of product strategy at Lieberman Software.

The main problem seems to be that the tokens generated by Samsung Pay are, to some degree, sequential, making it possible to predict future tokens.

"I feel empathy for Samsung," he added. "Clearly they have done a lot to wrap this in secure layers. They might have committed an error along the way, the sequential thing, but they clearly took a lot of effort to protect it with many layers of protection and authentication. What this shows is that Samsung is like every other company on Earth, which is fallible."

The initial reaction to downplay the vulnerability is a typical public relations move, he added.

"You get some kind of breach, you get the first carpet-bomb marketing reply, and a week later a more detailed reply with a mea culpa and some sort of fix," he said. "Essentially, they're stalling for time, while they figure out how to fix this vulnerability."

He added that Samsung may be under additional pressure because of its low market share in the mobile payments space.

In late July, Apple announced that its Apple Pay platform accounts for three quarter of all contactless payment transactions, leaving just 25 percent for Samsung Pay and Google's Android Pay.


Join the CSO newsletter!

Error: Please check your email address.

Tags samsungblack hat

More about AppleCSOGoogleLieberman SoftwareSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place