Samsung Pay Hacked! Allows Your Credit Card To Be Skimmed

DroidModderX

Super Moderator
Staff member
Premium Member
Joined
Oct 6, 2011
Messages
5,781
Reaction score
2,134

I can't say that I didn't see this coming. Once again we have a lab created hack performed by a security researcher. This time the vulnerability has been found in the security of Samsung Pay. The hack that was discovered is actually quite alarming though since it would enable the hacker to "skim" your credit cards linked to your Pay account and use them in places without actually having your phone.

Samsung Pay works using a magnetic payment system. It translates credit card data into tokens. This means a hacker would not be able to capture your actual credit card number. "Salvador Mendoza" discovered that the sequencing of token generation can be predicted. The tokens can be stolen and added to another phone.

Stealing the token turns out to be pretty simple. Menodza built a home made device that can steal the MST (or magnetic secure transmission). Once he has the info from the card he places it on his very own magspoof device which he can easily make purchases with. According to Mendoza all cards from affiliated banks are vulnerable to this type of attack.

The only thing that wasn't mentioned was whether or not the token stolen also includes your security information (fiingerprint or PIN) which is required to complete the purchase. With security being of up most important to Samsung these days I have a feeling they will have this all patched up quickly. I would suggest taking every update as it comes out if you use Samsung Pay.

via ZDNet
 

thunderbolt_nick

Thunderbolt Rescue Squad
Rescue Squad
Joined
Nov 22, 2011
Messages
1,185
Reaction score
609
Location
Orlando, FL
Website
www.nickburress.com
Current Phone Model
Nexus 6P
Twitter
@nickburress2k2
Interesting. All you'd need to do is disguise the MagSpoof board (or whatever it's called) as a phone and then VOILA! No one would be the wiser. Pretty sure if the bank's security features caught on it would flag the account though after multiple token purchases from several vendors. It's the fact they are able to get this far though that is the scary part.
 

Efin

Diamond Member
Joined
Apr 19, 2014
Messages
5,584
Reaction score
3,380
I almost setup Samsung Pay last week...
Looks like that will never happen...
 

Rognish

Active Member
Joined
Jul 25, 2010
Messages
238
Reaction score
79
Location
Ohio
Current Phone Model
Nexus 6
Twitter
rognish
I though the token was a 1 time use and the only way to generate another one is with the original card number and authorizing the payment.
 

New2u

Super Moderator
Joined
Oct 25, 2009
Messages
3,694
Reaction score
69
Location
Tallahassee, Fl
I almost setup Samsung Pay last week...
Looks like that will never happen...

Everything can be hacked, it's merely how long it takes to do it. The best hacks in the world, you will never know about because they are used by a handful of people here and there because they don't want them to be caught, or they are bought up by our government. It's amazing to see the lengths that some people will go through to hack things. But this is also about the MST, not the NFC part of Samsung Pay. As DroidModderX doesn't mention that Samsung Pay uses both NFC and MST for transactions, I wonder if the NFC side has been hacked also.
 

Efin

Diamond Member
Joined
Apr 19, 2014
Messages
5,584
Reaction score
3,380
I almost setup Samsung Pay last week...
Looks like that will never happen...

Everything can be hacked, it's merely how long it takes to do it. The best hacks in the world, you will never know about because they are used by a handful of people here and there because they don't want them to be caught, or they are bought up by our government. It's amazing to see the lengths that some people will go through to hack things. But this is also about the MST, not the NFC part of Samsung Pay. As DroidModderX doesn't mention that Samsung Pay uses both NFC and MST for transactions, I wonder if the NFC side has been hacked also.
Knowing that point you noted, my point was that now I'll never set up Samsung pay... Or Apple pay...
Neither is much more convenient than using your CC/BankCard, IMO.
 

shockracer

Active Member
Joined
Jan 15, 2011
Messages
438
Reaction score
153
Location
Northern, CO
On the positive side, people will try to hack endlessly because companies are paying for the flaw.
 
Top