Samsung insists that Samsung Pay, the NFC-based mobile-payment technology baked into many of its Galaxy smartphones and other devices, is totally, 100-percent secure. Except, you know, when it's not. The company has been on the defensive after presentations at the Black Hat and DEF CON security conferences last week detailed how Samsung Pay is vulnerable to skimming attacks.
A presentation, white paper and series of YouTube videos from California-based security researcher Salvador Mendoza purported that it's possible to steal and reuse payment-authorization tokens generated by Samsung Pay. Mendoza says this is because the tokens don't contain expiration dates, which means they take 24 hours to expire, giving miscreants time to reuse the tokens.
Samsung Pay works broadly like NFC-enabled credit cards or Apple Pay, in that you place your device over a reader, and then the technology processes the requested payment after you authenticate using a PIN or fingerprint. Unlike the magnetic strip on credit cards, which holds and transmits a fixed 16-digit account number, Samsung Pay generates and transmits a temporary "token" number that is linked to your financial account and can be used only once.
However, Mendoza said the algorithm used to generate those tokens is easy to crack. He discovered that only the last four to six digits of the tokens actually change from one transaction to the next, which would make them very susceptible to brute-force attacks.
Samsung Pay tokens can also be captured and reused. In a video shot and posted on YouTube yesterday (Aug. 9), Mendoza transmits a token from his Samsung phone to his hand-built card reader, which is plugged into the USB port of a MacBook Pro. The token pops up on the MacBook's screen, and Mendoza copies and pastes it into a separate app designed to work with the Magspoof, a device designed by famed hardware hacker Samy Kamkar to emulate credit-card magnetic-stripe swipes.
Mendoza then powers a Magspoof device, wirelessly transmits the Samsung Pay token to the Magspoof, walks over to a soda machine and successfully purchases a soda with the Magspoof, providing the Samung Pay token as a credit card. The card purchase is authorized, and Mendoza gets a notification on his phone that a purchase has been made with Samsung Pay.
This digital-pickpocketing scenario would require an attacker to be quite near, perhaps only a few inches, to your Samsung phone, but that's not entirely difficult in a crowded store. The catch is that the captured token can be used only once -- the thief has to use it before the legitimate user does.
Mendoza noted that tokens can be poached by interrupting a payment process, as Samsung Pay doesn't attempt to reuse the original token, but instead generates a new one. However, remember that there are only four to six digits that really matter in each token. It might be possible to generate new valid tokens.
Samsung Responds with Confidence, Asterisk
In a statement, Samsung said, "Recent reports implying that Samsung Pay is flawed are simply not true," continuing to explain that "Samsung Pay uses a multi-layer security system that works in tandem with the security systems of our partners to detect any emerging threats."
But in a FAQ released to the press on August 7, Samsung ended a lengthy explanation of its Knox security technology and other protections with a non-denial: "In summary, Samsung Pay's multiple layers of security make it extremely difficult to make a purchase by skimming a token."
Arguably, "extremely difficult" is not the same as "impossible." No technology may provide impossible-to-crack security, but this can clearly be parsed as Samsung admitting that researchers such as Mendoza are onto something.
"This skimming attack model has been a known issue reviewed by the card networks," the Samsung FAQ added. "Samsung Pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay."
If you use Samsung Pay, take the simple steps to protect yourself that you probably should have been making already. Always do a line-by-line review of your monthly credit-card statements, and contact your card issuers if you notice any fraudulent charges.