Researcher unveils second Samsung Pay vulnerability

A security researcher has found a second vulnerability in Samsung Pay

Samsung just can't catch a break these days. Its phones are exploding, and so are its washing machines, and now a security researcher has found a second vulnerability in Samsung Pay.

Salvatore Mendoza demonstrated the first vulnerability at Black Hat in August, where he was able to eavesdrop on a payment transaction, generate a token, and use that new token to make an unauthorized purchase in a different location.

Next week, he will be demonstrating the new Samsung Pay vulnerability at the Ekoparty security conference in Buenos Aires, Argentina.

At Black Hat, he showed how an attacker could eavesdrop on the MST transmission that the Samsung phone sends to emulate a magnetic stripe signal and take advantage of a weakness in how the tokens were generated, allowing him to predict new tokens.

"Tokenization is a very useful technique to protect the confidentiality of credit card data," said Frederik Mennes, senior manager of market and security strategy at VASCO Data Security.

"However it only helps if implemented correctly. For instance, it is very important that payment tokens do not reveal any information about the credit card number they are generated for, and that they cannot be predicted."

The new vulnerability that Mendoza has uncovered uses the NFC communication standard.

"NFC is supposed to be more secure," Mendoza said. "But there is a flaw in it."

Both MST and NFC allow the phone to communicate with the payment terminal wirelessly, he said, but the MST is a one-way communication, while the NFC is a two-way protocol where the phone and the terminal communicate with one another.

With the MST vulnerability, a special device was needed, which cost Mendoza about $50 to make.

The new NFC vulnerability can be exploited with no new equipment at all -- just an app.

"It's easier to carry out the new attack," he said.

The way it works is that the crook stands near the checkout counter with a phone running the interception app while a customer tries to make a purchase. The app eavesdrops on the NFC transmission and grabs the authentication token after the legitimate customer approves the purchase with a fingerprint or PIN code but before the purchase goes through.

The customer gets an error message and tries to put the payment through again.

A new token is issued for the second transaction. Meanwhile, the crook gets up to 24 hours to use the stolen token to make a purchase at any location in the world that has NFC-enabled payment terminals. Mendoza said that he's tested it out at a grocery store, but it could also be done at a BestBuy or a Walmart or another store.

Standing around next to payment terminals holding a phone while people make payments could be suspicious.

"You can make a fake terminal to intercept the tokens," Mendoza said.

Based on his previous communications with the company, Samsung knows about the vulnerability, he said.

But he wasn't favorably impressed by Samsung's reaction to the first issue.

As of this writing, Samsung hasn't responded to our requests for comment. It also hasn't yet issued a response.

Previously, the company issued a statement admitting that it was possible to capture tokens at the point of sale, but that it was difficult to do so.

"This skimming attack model has been a known issue reviewed by the card networks and Samsung Pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack," Samsung said.

Join the CSO newsletter!

Error: Please check your email address.

More about CSONFCSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts