Reported Samsung Pay flaw lets thieves remotely collect credit card credentials

Samsung Pay's legacy point-of-sale system compatibility mode may be insecure, as a token theft and remote use vulnerability was demonstrated by a security researcher at the Black Hat conference.

The potential security flaw, demonstrated by security analyst Salvador Mendoza at the Black Hat security conference, relies on Samsung's "magnetic secure transmission" central to Samsung Pay's ability to work at existing magnetic stripe point-of-sale terminals. The data that is sent to a regular point of sale terminal by an Android phone using Samsung Pay to emulate a magnetic stripe scan appears to be collectible at short ranges by specialty hardware.

A proof of concept magnetic hardware capture device was demonstrated by Mendoza at the conference. His prototype build was strapped to his arm, and forwarded intercepted tokens to an email address. The prototype is also sufficiently small to be hidden inside a point of sale terminal.

Following the hack being demonstrated by Mendoza and a remote colleague making a purchase with magnetic spoofing hardware from a pilfered token transmitted to Mexico, Samsung denied the researcher's claim in a very brief statement.

Mendoza also postulates that data collected can be utilized to make educated guesses at a parent credit card number over time, but did not demonstrate that ability.

In the denial amplified on Tuesday, Samsung reiterated that while it is possible to intercept a token and use it for a payment, the conditions that have to be met are very specific, and hard to orchestrate. As with Apple Pay, a token generated by the pay system is single-use. In addition to the magnetic capture requirements, the attacker would have to use the token before the originating transaction completes.

Users also get immediate notification of a Samsung Pay transaction, so a fraudulent token capture and use could be blocked

immediately by the authorized user.

Despite all the denials, Samsung claims that the skimming attack which results in a token relay to a third party is a "known issue" and is an "acceptable" potential risk, given the difficulty of executing the attack.

Fraud with Apple Pay has been in the other direction, with Apple Pay once the venue for fraud, instead of customer data stolen as a result of use of it. Around the launch of Apple's service, criminals used stolen credit card data from other breaches, and entered the data into Apple Pay, for payments in stores.

Apple Pay does not have a legacy point of sale terminal compatibility mode, and is relying instead in part on mandated shifts to credit card processing machines in the U.S. to assist with vendor acceptance. Furthermore, since launch in 2015, data source authentication by Apple Pay issuing banks has tightened.