Home / / Samsung Pay security flaw allows fraudulent transactions

Samsung Pay security flaw allows fraudulent transactions

Security analyst Salvador Mendoza claims Samsung Pay is vulnerable, but Samsung denies it

Samsung Pay security flaw allows fraudulent transactions
Cyber-criminals could potentially intercept and exploit Samsung Pay during its tokenisation process, which encrypts the user's credit card information for each payment made.

During a presentation at the hacker convention Defcon, security analyst Salvador Mendoza exposed several attacks that could potentially target Samsung Pay, however these flaws were already on Samsung's radar.

Mendoza demonstrated how cyber-criminals could intercept and exploit Samsung Pay during the tokenisation process, which encrypts the user's credit card information for each payment made. Samsung Pay software creates a new token each time it is used, but if that token is not used for a payment it is still valid for 24 hours, meaning hackers have the time to use a high-tech skimmer to intercept it and make another payment.

Mendoza further found patterns in Samsung's method of token generation, meaning a hacker could make their own token. With this said, Mendoza did not clarify if he was able to generate his own.

Samsung did respond to these claims, stating that though such attacks are possible, they are "extremely difficult" to execute, especially because the hacker would have to be physically close to the user and whilst they are using the contactless payment feature.

Samsung said: "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials."

Nevertheless, Samsung did release a FAQ, where the company admits that a hacker could skim a user's payment token and make a purchase, but this would depend on certain situations. Plus, the company stated that using Samsung Pay is similar to using a credit card, as both payment methods have risks.

 

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

CHANNEL AWARD 2018