Samsung Pay security flaw allows fraudulent transactions
Security analyst Salvador Mendoza claims Samsung Pay is vulnerable, but Samsung denies it
During a presentation at the hacker convention Defcon, security analyst Salvador Mendoza exposed several attacks that could potentially target Samsung Pay, however these flaws were already on Samsung's radar.
Mendoza demonstrated how cyber-criminals could intercept and exploit Samsung Pay during the tokenisation process, which encrypts the user's credit card information for each payment made. Samsung Pay software creates a new token each time it is used, but if that token is not used for a payment it is still valid for 24 hours, meaning hackers have the time to use a high-tech skimmer to intercept it and make another payment.
Mendoza further found patterns in Samsung's method of token generation, meaning a hacker could make their own token. With this said, Mendoza did not clarify if he was able to generate his own.
Samsung did respond to these claims, stating that though such attacks are possible, they are "extremely difficult" to execute, especially because the hacker would have to be physically close to the user and whilst they are using the contactless payment feature.
Samsung said: "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials."
Nevertheless, Samsung did release a FAQ, where the company admits that a hacker could skim a user's payment token and make a purchase, but this would depend on certain situations. Plus, the company stated that using Samsung Pay is similar to using a credit card, as both payment methods have risks.