Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Pay Hack Lets Attackers Make Fraudulent Payments (theverge.com)

Posted by BeauHD on from the fraudulent-charges dept.

jmcbain writes: The Verge reports that a security researcher at DefCon outlined a number of attacks targeting Samsung Pay, Samsung's digital payment system that runs on their smartphones. According to the article, the attack "[focuses] on intercepting or fabricating payment tokens -- codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. [They expire 24 hours after being generated and are single-use only.]" In a response, Samsung said that "in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card," but that "the attacker must be physically close to the target while they are making a legitimate purchase."

16 comments

  1. Crack by Anonymous Coward · · Score: 0

    It's a crack. Am I the first to notice this? Is everyone a noobie!

  2. but... by Anonymous Coward · · Score: 2, Insightful

    "the attacker must be physically close to the target while they are making a legitimate purchase."

    s/the attacker/a skimming device planted by the attacker/

    Since when has this ever been a hurdle for fraudsters?

    1. Re:but... by mikeiver1 · · Score: 2

      Actually, they can be a fair distance away and skim the transaction using the likes of a Yagi-Uda antenna. The very high frequencies the transactional data is transferred at it very small antennas have very high gains. In theory you could sit outside of a door in the comfort of your air conditioned car pointing the antenna at the register and snoop the traffic as it happens. From there...

    2. Re:but... by AHuxley · · Score: 2

      The NSA had a few neat tricks overcome that short distance issue
      Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools (November 17, 2014)
      http://motherboard.vice.com/re...
      NIGHTWATCH, RAGEMASTER, and SURLYSPAWN

      --
      Domestic spying is now "Benign Information Gathering"
  3. Simple question by Anonymous Coward · · Score: 1

    Forgive me if I'm being stupid, but I don't understand the summary. A single use token indicates that it can only be used once. Presumably the token is equivalent to the functionality performed by the chips on new cards. I assume the token has to be presented in order for the transaction to ever be approved. That should prevent it for ever being used for another transaction. If so, how is intercepting this token actually a vulnerability of it's already used at the time it's transmitted and would be intercepted? Shouldn't that be it's only use? Also, if that's not the case, shouldn't chip cards be vulnerable to the same attack? I thought the point of a single use token or password is that it doesn't matter if it's intercepted, because it's useless to an attacker when they intercept it.

    1. Re: Simple question by Anonymous Coward · · Score: 1

      According to the article:

      "Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user's smartphone. This would require a user to authenticate â" but not complete â" a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay."

  4. Why do people use these things? by OneHundredAndTen · · Score: 0

    If I am going to trust anybody to make payments for me, it will be my bank or financial institution. The guys who make my phone? I don't think so, much less when they are a heavy-handed, and generally not very nice company like Samsung, when it comes to dealing with its customers. Samsung, you can stick your Samsung Payment you know where.

    1. Re: Why do people use these things? by Anonymous Coward · · Score: 0

      Ok grandpa, we'll stay off your lawn too.

  5. Re: COME VISIT NEW YORK by hackwrench · · Score: 1

    I think you mistyped YUUGE!

  6. Poor security model by Anonymous Coward · · Score: 0

    The financial institution shoud have a private key and a public key for each user and each user should have a private and public key and they should exchange public keys. When a payment is made each side should encrypt their messages with the public key of the other side. I may not have the complete model down for ensuring that both sides know who and when they are talking to the other person. I know when I am using a cell phone not connected to a cell network so the time isn't right it complains it can't connect due to time synchronization issues, so what's going on?

    1. Re: Poor security model by hackwrench · · Score: 1

      Oh, man must have accidentally bumped up against the post anonymously checkbox on the mobile site again.

  7. Re: COME VISIT NEW YORK by Anonymous Coward · · Score: 0

    Thanks, Billy.