Samsung Pay security flaw allows fraudulent transactions

Security analyst Salvador Mendoza claims Samsung Pay is vulnerable, but Samsung denies it

Tags: Cyber crimeSamsung CorporationSamsung Electronics Company
  • E-Mail
Samsung Pay security flaw allows fraudulent transactions Cyber-criminals could potentially intercept and exploit Samsung Pay during its tokenisation process, which encrypts the user's credit card information for each payment made. (Sarah Kerver/Getty Images for Samsung)
By  Aasha Bodhani Published  August 10, 2016

During a presentation at the hacker convention Defcon, security analyst Salvador Mendoza exposed several attacks that could potentially target Samsung Pay, however these flaws were already on Samsung's radar.

Mendoza demonstrated how cyber-criminals could intercept and exploit Samsung Pay during the tokenisation process, which encrypts the user's credit card information for each payment made. Samsung Pay software creates a new token each time it is used, but if that token is not used for a payment it is still valid for 24 hours, meaning hackers have the time to use a high-tech skimmer to intercept it and make another payment.

Mendoza further found patterns in Samsung's method of token generation, meaning a hacker could make their own token. With this said, Mendoza did not clarify if he was able to generate his own.

Samsung did respond to these claims, stating that though such attacks are possible, they are "extremely difficult" to execute, especially because the hacker would have to be physically close to the user and whilst they are using the contactless payment feature.

Samsung said: "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials."

Nevertheless, Samsung did release a FAQ, where the company admits that a hacker could skim a user's payment token and make a purchase, but this would depend on certain situations. Plus, the company stated that using Samsung Pay is similar to using a credit card, as both payment methods have risks.

 

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code