Samsung Pay Transaction Tokens Can Be Intercepted, But It’s All Cool, Bro

| Editorial

Buggy SamsungAn interesting story is developing around Samsung Pay: the first part is that transaction tokens can be intercepted; and the second part is that Samsung calls this an “acceptable risk” because it’s hard to do.

Interception

Researchers demonstrated the hack at this year’s Defcon, as noted by The Verge. It relies on Samsung Pay’s “magnetic secure transmission” for use with traditional magnetic striper readers. Samsung devices with this feature generate a magnetic field that transmits transaction information—including a one-time token—to a stripe reader.

It turns out that transmission can be intercepted. During the Black Hat demonstration, a researcher did so using equipment strapped to his arm. It’s small enough, however, to hide inside a point of sale terminal, and a bad guy could perhaps secure it near a reader.

The transaction token is intercepted by the device, which then emails it to a designated address. The researchers then demonstrated using that intercepted token to make a different transaction than the one it was intended for.

Yeah, But It’s All Cool, Bro

That all sounds pretty darn scary to me, but Samsung doesn’t think so. The company issued a statement denying the Black Hat demonstration was accurate. In a fascinating extra, that statement came with its own FAQ. Seriously. Buried at the bottom of the FAQ was this note:

This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay.

My interpretation of that footnote to the FAQ of the statement (!!) is, yeah, this is possible, but it’s really hard, so it’s all cool, bro.

Samsung does have a tiny point. Taking advantage of this sort of hack is hard. You have to complete a transaction using the one-time token before it’s used by its legitimate owner. Alternately, the bad guys could use tokens from canceled transactions. But it doesn’t seem like a stretch for the bad guys to set up automated systems that quickly conduct small transactions, the kind that go unnoticed by consumers and fraud detection alike.

Duh

The point I personally take away is that magnetic stripe transactions are weak on security in the first place. That’s why credit card companies have moved to the (absurdly slow) chips in our cards. It’s also why Apple saw an opportunity for Apple Pay, a contactless payment system not vulnerable to this kind of exploit.

Samsung using this legacy system to (try to) get a leg up for its unneeded payment service was a stupid idea in the first place. It’s only a matter of time before someone actively exploits this vulnerability and Samsung is forced to pull the plug.

9 Comments Add a comment

  1. I was worried there when you said they used a single use token again!

    But then you clarified that no, it wasn’t used again, it was used before the user could use it!

    Now I have to admit that if these single use tokens can be used again if a transaction is cancelled is a serious breach of security. But I’m thinking that’s not reality and is just something you threw out there as a possible concern with no evidence that it works that way. If you do have evidence, please share!

  2. Oh Hai! Those chips in your cards aren’t any more secure than the magnetic strip! Exploits have been in the wild in Europe where chip and pin went live years ago! Seriously if you think using that chip is securing your transactions I’ve got a bridge to sell you!

  3. daemon: chip cards are a great improvement in certain circumstances, but not all.

    You are right that there have been exploits against chip+PIN in Europe. But this is far, far less than the roaring success that criminals have had in the U.S. with breaches such as Target and Home Depot.

    Is chip technology 100% secure? No. But the attack possibilities are much smaller than with mag stripe.

  4. @vpndev:

    Chip & PIN Fraud Explained – Computerphile

    Here in the United States Chip and PIN is nothing more than security theatre for congressional members to convince them to shift fraud liability from the banks to the account holders. Someone steals your credit card Chip and PIN info and suddenly they say it’s your fault and your account isn’t covered by the bank’s fraud protection any more.

  5. Bryan:

    I mean, dude! You need to get with the programme here. Didn’t you grok the part where where Samsung said,

    This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.

    What more needs to be said, right? We’re talking Samsung here. And their partners. You know, their partners?!!

    Yeah, it would be hard! And as we all know, bad guys just don’t do hard. They go for the easy stuff. I mean, it’s not like they’d ever remotely take over your computer, slave it to network and conduct a global denial of service attack, or hack into professional grade secure banks, and uber-secure government agencies, or eavesdrop and spy on you from your devices…or stuff. Those are just unemployed geeks and hacktivists, not bad guys, because, read my lips, bad guys don’t do hard stuff. Okay?

    Let me give you a couple of examples.

    SCENARIO 1: In a remote hideout in a desert far, far away…

    Bad guy leader:
    Here’s our new plan for buying weapons for our sleeper terror cells overseas. We’re going to create a programme that allows us to intercept purchase tokens of Samsung smart phones whenever they are detected at store chain X, divert those purchases to the online site Y and purchase assault rifles, side arms, knives, vests – everything they need to carry out our attacks. To avoid tracking by the enemy, we’ll do it just before the attack, have the weapons shipped to a public box, our guys will pick up their kit, and ta-daaaa! Brilliant, no?

    Bad guy developer:
    Uh, no sir.

    BGL:
    Why not?

    BGD:
    Because that would be hard.

    BGL:
    I guess you’re right. Hard is tough. We’ll just have to tell our guys that if they want to carry out attacks, they’ll have to buy their own stuff, or just sit it out.

    SCENARIO 2: In some steamy jungle headquarters in your unfriendly neighbourhood banana republic…

    Bad Guy Chief:
    Here’s our plan for taking out two of our political targets in country X. We’re gonna develop software that allows us to intercept a transaction token on Samsung Pay. Our agent in Politician X’s office will use that device to divert that purchase on a Samsung phone, which he has already identified in Politician X’s office, for a firearm, have it sent to our lock box in country X, our asset will then retrieve the weapon, take out Politician Y, plant the weapon in Politician X’s bedroom, where we’ll arrange for it to be discovered by our other agent who works as his maid, he’ll be arrested, tortured and executed. And we can verify it all on Youtube! Brilliant right? God, I love being a nefarious spook! What?!!

    Bad Guy Subordinate:
    Um, no Commandanté.

    BGC:
    Why not?

    BGS:
    Let me ‘splain it this way. That would be hard. You know, ‘H-A-R-D’? We just don’t do hard, sir. That takes planning and hard work. And hard is hard.

    BGC:
    Well, I guess you’re right. I’d better go and tell our fearless dictator that we’ll just have to defer our plans havoc, mayhem and global dominion.

    Yep. Bad guys don’t do hard, because the payoff just isn’t attractive.

    Glad we got that straight.

  6. …..
    This is how Samsung pay works:
    You enter your pin into your Samsung Pay app on the phone.
    The app generates a one time use token.
    You bring your phone into range of the magstripe reader.
    Your phone transmits the one time use token.
    This is where your information is stolen.
    The one time use token is used.
    You get an email telling you what you just bought.
    Oh my goodness, I see here that I just bought a $3.5 million harrier jet when I was attempting to buy a .99 cola. Huh, the register is still waiting for me to pay cause my transaction didn’t go through.
    Something isn’t right, but I don’t know what it could be……..

  7. @daemon:

    I appreciate your elaboration on how Samsung Pay works. And I agree; no one is going to authorise a purchase that is so obviously what they not intend.

    Your rebuttal, however, risks seriously under-estimating the preplanning, resources and execution of state-sponsored exploits to deceive and defeat system vulnerabilities.

    Don’t forget, when the US and allies unleashed Stuxnet on Iran, Iran responded with a very effective take down of Wall Street, and they made sure that the US knew who did it.

    Given the incentive of state-sponsored and well resourced bad guys to do harm, it is inexcusable for Samsung, Apple or any company that has assumed the responsibility of handling our critical data to know of a potential vulnerability and leave it open on the grounds that it would be hard to exploit. That is especially true now, with the ubiquity of smartphones and the role they play in daily life.

    Hard is relative, particularly when you wield the resources of a determined nation state.

  8. @wab95 I’m unaware of any such response from Iran to Stuxnet six years ago. I’ve read multiple claims by conspiracy theorists saying that Iran has breached the security of hundreds of US firms and had formed a cyber beachhead here in the US, but no actual attacks that linked to Iran.

    Most of the publicized state sponsored attacks have been linked to China and Russia.

  9. @daemon

    I’m not surprised that you may have heard only unsubstantiated rumours. I was not in the USA during that period, but didn’t see much US press coverage.

    Nonetheless, assertions were not confined to conspiracy theorists, but US military officials http://www.businessinsider.com/iranian-cyberattacks-retaliation-for-stuxnet-virus-2013-1 (just one of many), government officials and cyber security experts have as well http://www.wsj.com/articles/u-s-detects-flurry-of-iranian-hacking-1446684754. It was also addressed in the documentary, Zero Days. Worth a look, if you haven’t seen it.

    Iran, of course, has always publicly denied any cyber attacks on the US or any of its neighbours, sponsorship of terrrism, or violations of human rights, and has maintained nothing but the highest regard and adherence to to the norms of international law. Iran’s Gulf neighbours have argued otherwise.

    Whetheror not one chooses to see any one country as a cyber threat, there is a substantial and growing list of countries in that very ably conduct it.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account