An interesting story is developing around Samsung Pay: the first part is that transaction tokens can be intercepted; and the second part is that Samsung calls this an “acceptable risk” because it’s hard to do.
Researchers demonstrated the hack at this year’s Defcon, as noted by The Verge. It relies on Samsung Pay’s “magnetic secure transmission” for use with traditional magnetic striper readers. Samsung devices with this feature generate a magnetic field that transmits transaction information—including a one-time token—to a stripe reader.
It turns out that transmission can be intercepted. During the Black Hat demonstration, a researcher did so using equipment strapped to his arm. It’s small enough, however, to hide inside a point of sale terminal, and a bad guy could perhaps secure it near a reader.
The transaction token is intercepted by the device, which then emails it to a designated address. The researchers then demonstrated using that intercepted token to make a different transaction than the one it was intended for.
Yeah, But It’s All Cool, Bro
That all sounds pretty darn scary to me, but Samsung doesn’t think so. The company issued a statement denying the Black Hat demonstration was accurate. In a fascinating extra, that statement came with its own FAQ. Seriously. Buried at the bottom of the FAQ was this note:
This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay.
My interpretation of that footnote to the FAQ of the statement (!!) is, yeah, this is possible, but it’s really hard, so it’s all cool, bro.
Samsung does have a tiny point. Taking advantage of this sort of hack is hard. You have to complete a transaction using the one-time token before it’s used by its legitimate owner. Alternately, the bad guys could use tokens from canceled transactions. But it doesn’t seem like a stretch for the bad guys to set up automated systems that quickly conduct small transactions, the kind that go unnoticed by consumers and fraud detection alike.
The point I personally take away is that magnetic stripe transactions are weak on security in the first place. That’s why credit card companies have moved to the (absurdly slow) chips in our cards. It’s also why Apple saw an opportunity for Apple Pay, a contactless payment system not vulnerable to this kind of exploit.
Samsung using this legacy system to (try to) get a leg up for its unneeded payment service was a stupid idea in the first place. It’s only a matter of time before someone actively exploits this vulnerability and Samsung is forced to pull the plug.