Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Pay Hack Lets Attackers Make Fraudulent Payments (theverge.com)

Posted by BeauHD on from the fraudulent-charges dept.

jmcbain writes: The Verge reports that a security researcher at DefCon outlined a number of attacks targeting Samsung Pay, Samsung's digital payment system that runs on their smartphones. According to the article, the attack "[focuses] on intercepting or fabricating payment tokens -- codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. [They expire 24 hours after being generated and are single-use only.]" In a response, Samsung said that "in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card," but that "the attacker must be physically close to the target while they are making a legitimate purchase."

7 of 16 comments (clear)

  1. but... by Anonymous Coward · · Score: 2, Insightful

    "the attacker must be physically close to the target while they are making a legitimate purchase."

    s/the attacker/a skimming device planted by the attacker/

    Since when has this ever been a hurdle for fraudsters?

    1. Re:but... by mikeiver1 · · Score: 2

      Actually, they can be a fair distance away and skim the transaction using the likes of a Yagi-Uda antenna. The very high frequencies the transactional data is transferred at it very small antennas have very high gains. In theory you could sit outside of a door in the comfort of your air conditioned car pointing the antenna at the register and snoop the traffic as it happens. From there...

    2. Re:but... by AHuxley · · Score: 2

      The NSA had a few neat tricks overcome that short distance issue
      Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools (November 17, 2014)
      http://motherboard.vice.com/re...
      NIGHTWATCH, RAGEMASTER, and SURLYSPAWN

      --
      Domestic spying is now "Benign Information Gathering"
  2. Simple question by Anonymous Coward · · Score: 1

    Forgive me if I'm being stupid, but I don't understand the summary. A single use token indicates that it can only be used once. Presumably the token is equivalent to the functionality performed by the chips on new cards. I assume the token has to be presented in order for the transaction to ever be approved. That should prevent it for ever being used for another transaction. If so, how is intercepting this token actually a vulnerability of it's already used at the time it's transmitted and would be intercepted? Shouldn't that be it's only use? Also, if that's not the case, shouldn't chip cards be vulnerable to the same attack? I thought the point of a single use token or password is that it doesn't matter if it's intercepted, because it's useless to an attacker when they intercept it.

    1. Re: Simple question by Anonymous Coward · · Score: 1

      According to the article:

      "Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user's smartphone. This would require a user to authenticate â" but not complete â" a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay."

  3. Re: COME VISIT NEW YORK by hackwrench · · Score: 1

    I think you mistyped YUUGE!

  4. Re: Poor security model by hackwrench · · Score: 1

    Oh, man must have accidentally bumped up against the post anonymously checkbox on the mobile site again.