Samsung Pay Hack Lets Attackers Make Fraudulent Payments

jmcbain writes: The Verge reports that a security researcher at DefCon outlined a number of attacks targeting Samsung Pay, Samsung's digital payment system that runs on their smartphones. According to the article, the attack "[focuses] on intercepting or fabricating payment tokens -- codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. [They expire 24 hours after being generated and are single-use only.]" In a response, Samsung said that "in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card," but that "the attacker must be physically close to the target while they are making a legitimate purchase."

COME VISIT NEW YORK

As a highlight of our tour, we will do a skyscraper climbing course on the trump tower. It will be so awesome.

Re: COME VISIT NEW YORK

[hackwrench]

I think you mistyped YUUGE!

Re: COME VISIT NEW YORK

Thanks, Billy.

Crack

It's a crack. Am I the first to notice this? Is everyone a noobie!

but...

"the attacker must be physically close to the target while they are making a legitimate purchase."

s/the attacker/a skimming device planted by the attacker/

Since when has this ever been a hurdle for fraudsters?

Re:but...

[mikeiver1]

Actually, they can be a fair distance away and skim the transaction using the likes of a Yagi-Uda antenna. The very high frequencies the transactional data is transferred at it very small antennas have very high gains. In theory you could sit outside of a door in the comfort of your air conditioned car pointing the antenna at the register and snoop the traffic as it happens. From there...

Re:but...

[AHuxley]

The NSA had a few neat tricks overcome that short distance issue
Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools (November 17, 2014)
http://motherboard.vice.com/re...
NIGHTWATCH, RAGEMASTER, and SURLYSPAWN

Simple question

Forgive me if I'm being stupid, but I don't understand the summary. A single use token indicates that it can only be used once. Presumably the token is equivalent to the functionality performed by the chips on new cards. I assume the token has to be presented in order for the transaction to ever be approved. That should prevent it for ever being used for another transaction. If so, how is intercepting this token actually a vulnerability of it's already used at the time it's transmitted and would be intercepted? Shouldn't that be it's only use? Also, if that's not the case, shouldn't chip cards be vulnerable to the same attack? I thought the point of a single use token or password is that it doesn't matter if it's intercepted, because it's useless to an attacker when they intercept it.

Re: Simple question

According to the article:

"Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user's smartphone. This would require a user to authenticate â" but not complete â" a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay."

BeauHD

Mineral water springs in Baton Rouge are being tapped for their high sulfuric content. Could Samsung somehow incorporate this into their payment system? -- BeauHD

Why do people use these things?

[OneHundredAndTen]

If I am going to trust anybody to make payments for me, it will be my bank or financial institution. The guys who make my phone? I don't think so, much less when they are a heavy-handed, and generally not very nice company like Samsung, when it comes to dealing with its customers. Samsung, you can stick your Samsung Payment you know where.

Re: Why do people use these things?

Ok grandpa, we'll stay off your lawn too.

Poor security model

The financial institution shoud have a private key and a public key for each user and each user should have a private and public key and they should exchange public keys. When a payment is made each side should encrypt their messages with the public key of the other side. I may not have the complete model down for ensuring that both sides know who and when they are talking to the other person. I know when I am using a cell phone not connected to a cell network so the time isn't right it complains it can't connect due to time synchronization issues, so what's going on?

Re: Poor security model

[hackwrench]

Oh, man must have accidentally bumped up against the post anonymously checkbox on the mobile site again.

biz8atcvh

will recall that i7 m4n walking. It's

HOW TO HACK BANK, SPOUSE FACEBOOK,HANGOUT, ACCOT

IN GLOBAHACKING, Hacking is our profession. We have
testimonies from our numerous clients
around the world. We are the best hackers alive. We are
specialised in hacking the following: * Hack and UPGRADE UNIVERSITY
GRADES
* Hack into any BANK WEBSITE
* Hack into any COMPANY WEBSITE
* Hack into any GOVERNMENT AGENCY
WEBSITE * Hack into SECURITY AGENCY WEBSITE
and ERASE CRIMINAL RECORDS
* Hack into any DATA BASE
* Hack PAYPAL ACCOUNT
* Hack WORDPRESS Blogs
* SERVER CRASHED hack * Untraceable IP etc
NOTE
We can also teach you how to do the
following with our e-Book and online
tutorials * Is your partner cheating on you, we
can teach you how to TAP INTO THEIR
CALL AND MONITOR THEIR
CONVERSATION
* Email and Text message interception
* Hack and use Credit Card to shop online
* Monitor any phone and email
address
* Hack Android & iPhone we are smart enough to sactisfy u desire. Try us and your testimony is guaranteed
contact us at: globahacking@gmail.com