Samsung Pay, the company's answer to Apple Pay for high-end Samsung phones, suffers from a security vulnerability that could let hackers skim credits cards stored in the system and then make fraudulent payments. The vulnerability was pointed by Salvador Mendoza, a researcher of Android apps, in a presentation at Defcon - the world's largest running underground hacking conference. Mendoza has outlined flaws in Samsung Pay, which uses the company's alphanumeric algorithm called tokenization. Samsung on its part has denied its payment system can be compromised, and said this risk is known, but it is very unlikely such an attack can be executed. When a user adds his/her Mastercard, Visa, or any other card to Samsung Pay, the system generates a random token code that holds the credit card information. These tokens are saved in a Token Vault until they are used by the mobile device to send them from the mobile device to a payment terminal where they wish to use Samsung Pay. The idea behind this token system is to stop someone from being able to extract original credit card information of the card even if they find a token number, keeping the information of the original card secure. Each token can be used once, and is only valid for 24 hours. Mendoza in his presentation has focused on the interception and fabrication of these payment tokens. Samsung claims there is no way that anyone can guess a token number, as the system generates them in a random fashion. The security researcher claims to have found ways to attack the system, and said he was successfully able to make purchases using tokens obtained from Samsung Pay with the help of a MagSpoof device. Even though a token can be used only once, he claims an attacker can guess the last three digits of the next token. Also see: QuadRooter vulnerability leaves 900 mn Qualcomm-powered Android phones at risk In the second scenario, if the attackers are able to disrupt the pay in he middle of a transaction, the token remains valid. This jam will force Samsung Pay to generate a new token for use, while the older code remains valid. An attacker might be able to use the previous tokenized number to make a purchase. Mendoza also shared images of a jamming device that can be used for this purpose. The solution to this, according to the report, is for Samsung Pay to suspend these tokens as quickly as possible after the app generates a new one. The report adds Samsung Pay should avoid using static passwords to encrypt its files, as it is possible for someone to reverse and exploit them. However, Samsung's post says the algorithm displayed at the Defcon even is not what it uses to encrypt payment credentials, so such attacks are not possible. But the company admits the skimming attack model has been a known issue by card networks, Samsung Pay and their partners, even though the possibility of such an attack is extremely low.
