Mike Wuerthele
Samsung Pay's legacy point-of-sale system compatibility mode may be insecure, as a token theft and remote use vulnerability was demonstrated by a security researcher at the Black Hat conference.
The potential security flaw, demonstrated by security analyst Salvador Mendoza at the Black Hat security conference, relies on Samsung's "magnetic secure transmission" central to Samsung Pay's ability to work at existing magnetic stripe point-of-sale terminals. The data that is sent to a regular point of sale terminal by an Android phone using Samsung Pay to emulate a magnetic stripe scan appears to be collectible at short ranges by specialty hardware.
A proof of concept magnetic hardware capture device was demonstrated by Mendoza at the conference. His prototype build was strapped to his arm, and forwarded intercepted tokens to an email address. The prototype is also sufficiently small to be hidden inside a point of sale terminal.
Following the hack being demonstrated by Mendoza and a remote colleague making a purchase with magnetic spoofing hardware from a pilfered token transmitted to Mexico, Samsung denied the researcher's claim in a very brief statement.
Mendoza also postulates that data collected can be utilized to make educated guesses at a parent credit card number over time, but did not demonstrate that ability.
In the denial amplified on Tuesday, Samsung reiterated that while it is possible to intercept a token and use it for a payment, the conditions that have to be met are very specific, and hard to orchestrate. As with Apple Pay, a token generated by the pay system is single-use. In addition to the magnetic capture requirements, the attacker would have to use the token before the originating transaction completes.
Users also get immediate notification of a Samsung Pay transaction, so a fraudulent token capture and use could be blocked
immediately by the authorized user.
Despite all the denials, Samsung claims that the skimming attack which results in a token relay to a third party is a "known issue" and is an "acceptable" potential risk, given the difficulty of executing the attack.
Fraud with Apple Pay has been in the other direction, with Apple Pay once the venue for fraud, instead of customer data stolen as a result of use of it. Around the launch of Apple's service, criminals used stolen credit card data from other breaches, and entered the data into Apple Pay, for payments in stores.
Apple Pay does not have a legacy point of sale terminal compatibility mode, and is relying instead in part on mandated shifts to credit card processing machines in the U.S. to assist with vendor acceptance. Furthermore, since launch in 2015, data source authentication by Apple Pay issuing banks has tightened.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
40 Comments
So the NFC part of Android Pay is fine just like Apple Pay but, if you're sophisticated enough to go through the extremely difficult task of building something like this you may be able to get one payment in for fraud that will ultimately be reversed because of instant notification. Gotcha.
Seems to me the headline to this article is at best misleading, at worst just flat-out wrong. Credit card credentials are not lifted with this method; it’s a tokenised representation of the card (as also used by Apple Pay) that is single-use only.
The "magnetic secure transmission" is a bogus adhock feature that relies on the flawed design of magnetic card readers.
Merchants should not allow it and Samsung should discontinue the feature.
If a thief steals an unlocked Samsung phone, they could pay for a lot of stuff since no authentication is needed at the POS.
Worked for First Data for nearly 5 years. Largest transaction processing company in the world and handled Samsung, Android, and Apple Pay. Tried to explain to people a million times that the mag strip purchases, even with Samsung Pay, we're not a secure as the tokenized and encrypted NFC payments with Touch ID. There's a reason Apple left that technology out. It's dated and much easier to hack. Can't wait for Apple Pay to hit websites. Then I can use it for all my online shopping since some apps still haven't intergraded it yet.