A computer science student has discovered a major vulnerability in the Samsung Pay payments system that can be used to make unauthorised purchases without restrictions.
The flaw lies in the Magnetic Secure Transmission (MST) technology from United States company LoopPay, which was acquired by Samsung last year.
Samsung Pay uses MST to turn legacy point of sales terminals with magnetic stripe readers into contactless terminals. Credit card information is turned into tokens by MST before being sent to the terminals in order to prevent the data from being intercepted.
However, the token generation process has weaknesses. Salvador Mendoza of Modesto Junior College in California presented a method at the annual Black Hat security conference to hijack the payment tokens MST sends and to reuse them for purchases – even in regions that don't yet have Samsung Pay.
Mendoza demonstrated one way to steal Samsung Pay MST tokens using his wrist-wearable "TokenGet" device and social engineering that involves asking the victim to demonstrate the payments technology without making a purchase.
Mendoza demonstrating MST token hijacking in Las Vegas.
The TokenGet device would email the stolen token to Mendoza, allowing for what is effectively wireless "skimming" of credit and debit cards registered with Samsung Pay on victims' smartphones.
By copying over the token to renowned hardware hacker Samy Kamkar's MagSpoof device, Mendoza showed that it was possible to reuse the MST payments information.
Mendoza sent the token to a friend in Mexico to demonstrate how it could be used for purchases in that country, where Samsung Pay is not yet active.
He also showed how the tokens can be hijacked through devices attached to payments terminals on vending machines, emailed to attackers and be used to pay for goods and services.
The flaw in the MST token processing was first publicised by Mendoza in April this year, and although Samsung is aware of it, the company has yet to provide a fix for the vulnerability.
Update Samsung referred iTnews to a statement [pdf] on the token skimming issue, saying it cannot be used alone without a smartphone to make payments.
As multiple conditions must be met before a fraudster can use skim tokens and relay them to a separate device, it is extremely unlikely to succeed, Samsung said.
The payment signal - a combination of the token generated by the smartphone and a cryptogram authentication code to validate the transaction data hasn’t been modified - has to be transmitted to the point of sales terminal each time and can’t be used for multiple purchases, it said.
Mendoza’s TokenGet close-proximity token skimming device would also be difficult to use successfully as an attacker would have to either jam the connection between the phone and the point of sales terminal, or complete the transaction very quickly, before the user’s legitimate signal reaches it and contacts the card issuer for authentication - which would render the captured signal useless.
"This skimming attack model has been a known issue reviewed by the card networks and Samsung Pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack," Samsung said.
"The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay."