Samsung Pay Transaction Tokens Can Be Intercepted, But It’s All Cool, Bro

2 minute read
| Editorial

Buggy SamsungAn interesting story is developing around Samsung Pay: the first part is that transaction tokens can be intercepted; and the second part is that Samsung calls this an “acceptable risk” because it’s hard to do.

Interception

Researchers demonstrated the hack at this year’s Defcon, as noted by The Verge. It relies on Samsung Pay’s “magnetic secure transmission” for use with traditional magnetic striper readers. Samsung devices with this feature generate a magnetic field that transmits transaction information—including a one-time token—to a stripe reader.

It turns out that transmission can be intercepted. During the Black Hat demonstration, a researcher did so using equipment strapped to his arm. It’s small enough, however, to hide inside a point of sale terminal, and a bad guy could perhaps secure it near a reader.

The transaction token is intercepted by the device, which then emails it to a designated address. The researchers then demonstrated using that intercepted token to make a different transaction than the one it was intended for.

Yeah, But It’s All Cool, Bro

That all sounds pretty darn scary to me, but Samsung doesn’t think so. The company issued a statement denying the Black Hat demonstration was accurate. In a fascinating extra, that statement came with its own FAQ. Seriously. Buried at the bottom of the FAQ was this note:

This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay.

My interpretation of that footnote to the FAQ of the statement (!!) is, yeah, this is possible, but it’s really hard, so it’s all cool, bro.

Samsung does have a tiny point. Taking advantage of this sort of hack is hard. You have to complete a transaction using the one-time token before it’s used by its legitimate owner. Alternately, the bad guys could use tokens from canceled transactions. But it doesn’t seem like a stretch for the bad guys to set up automated systems that quickly conduct small transactions, the kind that go unnoticed by consumers and fraud detection alike.

Duh

The point I personally take away is that magnetic stripe transactions are weak on security in the first place. That’s why credit card companies have moved to the (absurdly slow) chips in our cards. It’s also why Apple saw an opportunity for Apple Pay, a contactless payment system not vulnerable to this kind of exploit.

Samsung using this legacy system to (try to) get a leg up for its unneeded payment service was a stupid idea in the first place. It’s only a matter of time before someone actively exploits this vulnerability and Samsung is forced to pull the plug.

9
Leave a Reply

Please Login to comment
9 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
wab95daemonvpndev Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
wab95
Member
wab95

daemon I’m not surprised that you may have heard only unsubstantiated rumours. I was not in the USA during that period, but didn’t see much US press coverage. Nonetheless, assertions were not confined to conspiracy theorists, but US military officials http://www.businessinsider.com/iranian-cyberattacks-retaliation-for-stuxnet-virus-2013-1 (just one of many), government officials and cyber security experts have as well http://www.wsj.com/articles/u-s-detects-flurry-of-iranian-hacking-1446684754. It was also addressed in the documentary, Zero Days. Worth a look, if you haven’t seen it. Iran, of course, has always publicly denied any cyber attacks on the US or any of its neighbours, sponsorship of terrrism, or violations of human rights, and has… Read more »

daemon
Member
daemon

wab95 I’m unaware of any such response from Iran to Stuxnet six years ago. I’ve read multiple claims by conspiracy theorists saying that Iran has breached the security of hundreds of US firms and had formed a cyber beachhead here in the US, but no actual attacks that linked to Iran.

Most of the publicized state sponsored attacks have been linked to China and Russia.

wab95
Member
wab95

daemon: I appreciate your elaboration on how Samsung Pay works. And I agree; no one is going to authorise a purchase that is so obviously what they not intend. Your rebuttal, however, risks seriously under-estimating the preplanning, resources and execution of state-sponsored exploits to deceive and defeat system vulnerabilities. Don’t forget, when the US and allies unleashed Stuxnet on Iran, Iran responded with a very effective take down of Wall Street, and they made sure that the US knew who did it. Given the incentive of state-sponsored and well resourced bad guys to do harm, it is inexcusable for Samsung,… Read more »

daemon
Member
daemon

….. This is how Samsung pay works: You enter your pin into your Samsung Pay app on the phone. The app generates a one time use token. You bring your phone into range of the magstripe reader. Your phone transmits the one time use token. This is where your information is stolen. The one time use token is used. You get an email telling you what you just bought. Oh my goodness, I see here that I just bought a $3.5 million harrier jet when I was attempting to buy a .99 cola. Huh, the register is still waiting for… Read more »

wab95
Member
wab95

Bryan: I mean, dude! You need to get with the programme here. Didn’t you grok the part where where Samsung said, This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. What more needs to be said, right? We’re talking Samsung here. And their partners. You know, their partners?!! Yeah, it would be hard! And as we all know, bad guys just don’t do hard. They go for the easy stuff. I mean, it’s… Read more »

daemon
Member
daemon

vpndev:

Chip & PIN Fraud Explained – Computerphile

Here in the United States Chip and PIN is nothing more than security theatre for congressional members to convince them to shift fraud liability from the banks to the account holders. Someone steals your credit card Chip and PIN info and suddenly they say it’s your fault and your account isn’t covered by the bank’s fraud protection any more.

vpndev
Member
vpndev

daemon: chip cards are a great improvement in certain circumstances, but not all.

You are right that there have been exploits against chip+PIN in Europe. But this is far, far less than the roaring success that criminals have had in the U.S. with breaches such as Target and Home Depot.

Is chip technology 100% secure? No. But the attack possibilities are much smaller than with mag stripe.

daemon
Member
daemon

Oh Hai! Those chips in your cards aren’t any more secure than the magnetic strip! Exploits have been in the wild in Europe where chip and pin went live years ago! Seriously if you think using that chip is securing your transactions I’ve got a bridge to sell you!

daemon
Member
daemon

I was worried there when you said they used a single use token again!

But then you clarified that no, it wasn’t used again, it was used before the user could use it!

Now I have to admit that if these single use tokens can be used again if a transaction is cancelled is a serious breach of security. But I’m thinking that’s not reality and is just something you threw out there as a possible concern with no evidence that it works that way. If you do have evidence, please share!