A vulnerability has been discovered in Samsung Pay which can be exploited by a hacker to wirelessly steal credit cards. The way Samsung Pay secures transactions involves translating credit card data into tokens so that card numbers can’t be stolen from the device. However, security researcher Salvador Mendoza discovered that those tokens aren’t as secure as one might believe them to be. He presented more details about this vulnerability at a Black Hat talk in Las Vegas earlier this week.
He discovered that the tokenization process is limited and that the sequencing of the tokens can be predicted. He explains that the tokenization process becomes weaker after the Samsung Pay app generates the first token for a specific card which means there is a greater chance that future tokens could be predicted. A hacker who knows how to do this can steal the tickets and use them in another device to make unauthorized transactions. Mendoza said that he proved his theory by sending a token to one of his friends in Mexico who was able to use it with magnetic spoofing hardware to make a purchase using Samsung Pay despite the fact that Samsung’s mobile payment service has not been launched in Mexico yet.
Mendoza explains more about his discovery in the video that’s posted down below. Samsung hasn’t confirmed yet if it has taken care of this vulnerability but did say that “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.” It also wants to remind all users that “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform.”