A New Samsung Pay Hack Uses Card Skimming to Make Unauthorized Payments
Where there’s money, there will often be hackers, eager to find a way to exploit a system’s weaknesses to get access to that cash.
Not every hacker is like this, of course, but for those that are, a new such weakness has been found with Samsung Pay and contactless payment capability.
The hack—presented at Defcon by Salvador Mendoza—featured attackers attempting to intercept or otherwise create out of whole cloth payment tokens, which are commonly used as a security measure to associate a user with payment information.
Generated by the device, and usable for a 24 hour period only, these tokens are in a sense an avatar of payment data. With Mendoza’s method, users could use a wrist-mounted device or even another smartphone to skim the tokens, and then make a payment.
Though the payment would be mostly completed, it would then required the actual user to authorize the payment. That’s a tougher job, but might be done if the hacker asks the user for a demonstration of Samsung Pay.
Samsung, at last report, knew about this particular potential access point, but noted that such an attack was considered “extremely difficult” to achieve, which brings to mind images of the Death Star contractor saying “No one can get a proton torpedo in a vent this size, so why even bother to protect it?” Still, this is a long shot at best, though Samsung notes that in certain scenarios, it is possible a hacker could actually achieve this. Mendoza, meanwhile, notes it’s also possible to analyze the tokens and find a guessing method for token generation, though he hasn’t confirmed pulling off such a task as yet.
It’s a little disconcerting to see Samsung so cavalier about a clear payment vulnerability, but it’s likewise important to note that not every weakness can be addressed. Even cash has weaknesses; that’s what counterfeiting is. Reports suggest that any payment card would have a similar vulnerability, but then, shouldn’t a new payment method surpass its predecessors?
Still, it’s comforting; this new hack took a lot to find and it turns out to be so difficult that only the best would likely attempt it. Such high-powered hackers, meanwhile, are likely going after bigger targets than one random person’s mobile payment system. So exercise the standard diligence—watch those statements—and the system should be as safe.