The security expert Salvador Mendoza demonstrated that is it easy to steal Samsung Pay tokens and reuse them to make fraudulent purchases.
The security researcher Salvador Mendoza has discovered a flaw in the Samsung Pay system that could be exploited by hackers to remotely skim credit cards. The attackers can steal Samsung Pay tokens and use them in another device to make fraudulent transactions.
Samsung Pay is a contactless payment system that comes standard in many modern Samsung smartphones. The system relies on tokens that have been designed to securely include credit card data, but evidently something goes wrong.
The bug affects the tokenization process, it could allow attackers to predict the sequencing of the tokens.
Those tokens can be stolen by attackers and used in other hardware to make fraudulent transactions without any restrictions.
As a proof-of-concept, Mendoza sent a token to one of his friends in Mexico who would use it with magnetic spoofing hardware to buy something.
Below a video PoC of the hack:
Mendoza also explained that the theft of Samsung Pay can be very easy, said Mendoza.
“Mendoza built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someone’s phone, which can then email the token to his inbox, so he can compile it into another phone.” Wrote Zack Whittakerfor Zero Day.
“Or, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.”
In his PoC Mendoza loaded a token into the MagSpoof device, that is a tiny device that can spoof/emulate any magnetic stripe or credit card. The MagSpoof device was designed by the popular hacker Samy Kamkar (@SamyKamkar), it can work wirelessly, even on standard magstripe/credit card readers.
The tiny gadget dubbed MagSpoof is a credit card/magstripe spoofer and can be used also at non-wireless payment terminals, it is composed of a microcontroller, motor-driver, wire, a resistor, switch, LED, and a battery.
Mendoza confirmed that every credit card, debit card or prepaid card is vulnerable to his attack, meanwhile, gift cards are not impacted because Samsung Pay relies on a scanned barcode rather than a transmitted signal.