The newest smartphones in Samsung?EU?s Galaxy line come with contactless mobile payment capability. That?EU?s good news when it comes to convenience, but it might be bad news when it comes to security.
During a presentation given recently at the Def Con security conference in Las Vegas, a computer science student demonstrated a variety of attacks against Samsung Pay, Samsung?EU?s mobile payment service.
The attacks Mendoza described were able to intercept or fabricate payment tokens, which are the single-use codes created by users’ smartphones that they can use to pay via credit card accounts without using card information. The tokens are sent from the users’ devices to payment terminals during wireless purchases, and expire 24 hours after they?EU?re issued.
During the demonstration, Mendoza used a wrist-mounted device to skim tokens generated by another user’s smartphone. “If a Samsung customer tries to use Samsung Pay but something happens in the middle of the transaction . . . that token [is] still alive,” said Mendoza. “An attacker could jam the transaction process to make Samsung Pay failed [sic] and force it to generate the next token.”
In his presentation, Mendoza also said that he has uncovered patterns in Samsung’s method of token generation that, at least in theory, could let a hacker make his own valid tokens via educated guesses. He didn?EU?t say whether or not he?EU?s been able to do this himself.
Samsung took issue with that allegation in a post on its security blog. “Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials,” according to the company?EU?s mobile security staff.
What makes a scenario such as the one described by Mendoza implausible is that the attacker must be physically close to the smartphone user who is in the process of making a purchase, according…