The security expert Salvador Mendoza demonstrated that is it easy to steal Samsung Pay tokens and reuse them to make fraudulent purchases.
The security researcher Salvador Mendoza has discovered a flaw in the Samsung Pay system that could be exploited by hackers to remotely skim credit cards. The attackers can steal Samsung Pay tokens and use them in another device to make fraudulent transactions.
Samsung Pay is a contactless payment system that comes standard in many modern Samsung smartphones. The systemÂ relies on tokens that have been designed to securely include credit card data, but evidently something goes wrong.
The bug affects the tokenization process, it could allowÂ attackers to predict the sequencing of the tokens.
Those tokens can be stolen by attackers and used in other hardware to make fraudulent transactions without any restrictions.
As aÂ proof-of-concept, Mendoza sent a token to one of his friends in Mexico who would use it with magnetic spoofing hardware to buy something.
Below a video PoC of the hack:
Mendoza also explained that the theft of Samsung Pay can be very easy, said Mendoza.
â€śMendoza built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someoneâ€™s phone, which can then email the token to his inbox, so he can compile it into another phone.â€ť Wrote Â Zack WhittakerÂ forÂ Zero Day.
â€śOr, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.â€ť
In his PoC Mendoza loaded a tokenÂ into the MagSpoof device, that is a tiny device that can spoof/emulate any magnetic stripe or credit card. The MagSpoof device was designed by the popular hacker Samy KamkarÂ (@SamyKamkar), it can work wirelessly, even onÂ standard magstripe/credit card readers.
TheÂ tiny gadgetÂ dubbedÂ MagSpoofÂ is aÂ credit card/magstripe spoofer andÂ can be used alsoÂ at non-wireless payment terminals, it is composed ofÂ a microcontroller, motor-driver, wire, a resistor, switch, LED, and a battery.
Mendoza confirmed that every credit card, debit card or prepaid card is vulnerable to his attack, meanwhile, gift cards are not impacted because Samsung Pay relies on a scanned barcode rather than a transmitted signal.