Samsung Pay Hacked! Allows Your Credit Card To Be Skimmed

Discussion in 'Android News' started by DroidModderX, Aug 8, 2016.

  1. DroidModderX

    DroidModderX Super Moderator
    Staff Member Premium Member

    Joined:
    Oct 6, 2011
    Messages:
    5,630
    Likes Received:
    2,102
    Trophy Points:
    478
    Ratings:
    +2,221

    I can't say that I didn't see this coming. Once again we have a lab created hack performed by a security researcher. This time the vulnerability has been found in the security of Samsung Pay. The hack that was discovered is actually quite alarming though since it would enable the hacker to "skim" your credit cards linked to your Pay account and use them in places without actually having your phone.

    Samsung Pay works using a magnetic payment system. It translates credit card data into tokens. This means a hacker would not be able to capture your actual credit card number. "Salvador Mendoza" discovered that the sequencing of token generation can be predicted. The tokens can be stolen and added to another phone.

    Stealing the token turns out to be pretty simple. Menodza built a home made device that can steal the MST (or magnetic secure transmission). Once he has the info from the card he places it on his very own magspoof device which he can easily make purchases with. According to Mendoza all cards from affiliated banks are vulnerable to this type of attack.

    The only thing that wasn't mentioned was whether or not the token stolen also includes your security information (fiingerprint or PIN) which is required to complete the purchase. With security being of up most important to Samsung these days I have a feeling they will have this all patched up quickly. I would suggest taking every update as it comes out if you use Samsung Pay.

    via ZDNet
     
  2. thunderbolt_nick

    thunderbolt_nick Thunderbolt Rescue Squad
    Rescue Squad

    Joined:
    Nov 22, 2011
    Messages:
    1,194
    Likes Received:
    603
    Trophy Points:
    1,268
    Location:
    Orlando, FL
    Ratings:
    +724
    Current Phone Model:
    Nexus 6P
    Twitter:
    @nickburress2k2
    Interesting. All you'd need to do is disguise the MagSpoof board (or whatever it's called) as a phone and then VOILA! No one would be the wiser. Pretty sure if the bank's security features caught on it would flag the account though after multiple token purchases from several vendors. It's the fact they are able to get this far though that is the scary part.
     
  3. Efin

    Efin Diamond Member

    Joined:
    Apr 19, 2014
    Messages:
    5,714
    Likes Received:
    3,415
    Trophy Points:
    1,563
    Ratings:
    +3,652
    I almost setup Samsung Pay last week...
    Looks like that will never happen...
     
  4. Rognish

    Rognish Active Member

    Joined:
    Jul 25, 2010
    Messages:
    237
    Likes Received:
    79
    Trophy Points:
    43
    Location:
    Ohio
    Ratings:
    +109
    Current Phone Model:
    Nexus 6
    Twitter:
    rognish
    I though the token was a 1 time use and the only way to generate another one is with the original card number and authorizing the payment.
     
    • Agree Agree x 1
  5. xeene

    xeene Gold Member

    Joined:
    Jun 28, 2010
    Messages:
    3,076
    Likes Received:
    894
    Trophy Points:
    208
    Location:
    usa
    Ratings:
    +1,030
    Chance of this happening is smaller then winning a lottery.
     
    • Like Like x 1
    • Agree Agree x 1
  6. New2u

    New2u Super Moderator

    Joined:
    Oct 25, 2009
    Messages:
    3,724
    Likes Received:
    69
    Trophy Points:
    163
    Location:
    Tallahassee, Fl
    Ratings:
    +83
    Everything can be hacked, it's merely how long it takes to do it. The best hacks in the world, you will never know about because they are used by a handful of people here and there because they don't want them to be caught, or they are bought up by our government. It's amazing to see the lengths that some people will go through to hack things. But this is also about the MST, not the NFC part of Samsung Pay. As DroidModderX doesn't mention that Samsung Pay uses both NFC and MST for transactions, I wonder if the NFC side has been hacked also.
     
  7. Efin

    Efin Diamond Member

    Joined:
    Apr 19, 2014
    Messages:
    5,714
    Likes Received:
    3,415
    Trophy Points:
    1,563
    Ratings:
    +3,652
    Knowing that point you noted, my point was that now I'll never set up Samsung pay... Or Apple pay...
    Neither is much more convenient than using your CC/BankCard, IMO.
     
    • Like Like x 1
  8. shockracer

    shockracer Active Member

    Joined:
    Jan 15, 2011
    Messages:
    433
    Likes Received:
    153
    Trophy Points:
    43
    Location:
    Northern, CO
    Ratings:
    +184
    On the positive side, people will try to hack endlessly because companies are paying for the flaw.
     
    • Like Like x 1