Samsung Pay Hacked! Allows Your Credit Card To Be Skimmed

[DroidModderX]

​

I can't say that I didn't see this coming. Once again we have a lab created hack performed by a security researcher. This time the vulnerability has been found in the security of Samsung Pay. The hack that was discovered is actually quite alarming though since it would enable the hacker to "skim" your credit cards linked to your Pay account and use them in places without actually having your phone.

Samsung Pay works using a magnetic payment system. It translates credit card data into tokens. This means a hacker would not be able to capture your actual credit card number. "Salvador Mendoza" discovered that the sequencing of token generation can be predicted. The tokens can be stolen and added to another phone.

Stealing the token turns out to be pretty simple. Menodza built a home made device that can steal the MST (or magnetic secure transmission). Once he has the info from the card he places it on his very own magspoof device which he can easily make purchases with. According to Mendoza all cards from affiliated banks are vulnerable to this type of attack.

The only thing that wasn't mentioned was whether or not the token stolen also includes your security information (fiingerprint or PIN) which is required to complete the purchase. With security being of up most important to Samsung these days I have a feeling they will have this all patched up quickly. I would suggest taking every update as it comes out if you use Samsung Pay.

via ZDNet

 

[thunderbolt_nick]

Interesting. All you'd need to do is disguise the MagSpoof board (or whatever it's called) as a phone and then VOILA! No one would be the wiser. Pretty sure if the bank's security features caught on it would flag the account though after multiple token purchases from several vendors. It's the fact they are able to get this far though that is the scary part.

 

[Efin]

I almost setup Samsung Pay last week...
Looks like that will never happen...

 

[Rognish]

I though the token was a 1 time use and the only way to generate another one is with the original card number and authorizing the payment.

 

[xeene]

Chance of this happening is smaller then winning a lottery.

 

[New2u]

I almost setup Samsung Pay last week...
Looks like that will never happen...

Everything can be hacked, it's merely how long it takes to do it. The best hacks in the world, you will never know about because they are used by a handful of people here and there because they don't want them to be caught, or they are bought up by our government. It's amazing to see the lengths that some people will go through to hack things. But this is also about the MST, not the NFC part of Samsung Pay. As DroidModderX doesn't mention that Samsung Pay uses both NFC and MST for transactions, I wonder if the NFC side has been hacked also.

 

[Efin]

I almost setup Samsung Pay last week...
Looks like that will never happen...

Everything can be hacked, it's merely how long it takes to do it. The best hacks in the world, you will never know about because they are used by a handful of people here and there because they don't want them to be caught, or they are bought up by our government. It's amazing to see the lengths that some people will go through to hack things. But this is also about the MST, not the NFC part of Samsung Pay. As DroidModderX doesn't mention that Samsung Pay uses both NFC and MST for transactions, I wonder if the NFC side has been hacked also.

Knowing that point you noted, my point was that now I'll never set up Samsung pay... Or Apple pay...
Neither is much more convenient than using your CC/BankCard, IMO.

 

[shockracer]

On the positive side, people will try to hack endlessly because companies are paying for the flaw.