Samsung Pay Hack Lets Attackers Make Fraudulent Payments

jmcbain writes: The Verge reports that a security researcher at DefCon outlined a number of attacks targeting Samsung Pay, Samsung's digital payment system that runs on their smartphones. According to the article, the attack "[focuses] on intercepting or fabricating payment tokens -- codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. [They expire 24 hours after being generated and are single-use only.]" In a response, Samsung said that "in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card," but that "the attacker must be physically close to the target while they are making a legitimate purchase."

but...

"the attacker must be physically close to the target while they are making a legitimate purchase."

s/the attacker/a skimming device planted by the attacker/

Since when has this ever been a hurdle for fraudsters?

Re:but...

[mikeiver1]

Actually, they can be a fair distance away and skim the transaction using the likes of a Yagi-Uda antenna. The very high frequencies the transactional data is transferred at it very small antennas have very high gains. In theory you could sit outside of a door in the comfort of your air conditioned car pointing the antenna at the register and snoop the traffic as it happens. From there...

Re:but...

[AHuxley]

The NSA had a few neat tricks overcome that short distance issue
Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools (November 17, 2014)
http://motherboard.vice.com/re...
NIGHTWATCH, RAGEMASTER, and SURLYSPAWN