Samsung: Hacking Samsung Pay is Very Difficult

...

Samsung this week disputed a security researcher's claims that the Korean tech giant's mobile payments system was vulnerable to hacking.

For each transaction, the Samsung Pay app creates a unique digital token that represents the account holder's credit or debit card information. In a research paper prepared for the Def Con hacking conference, security expert Salvador Mendoza claimed that the tokenization process could leave a consumer's financial information vulnerable.

Hackers can exploit the vulnerability by tricking Samsung Pay into reusing a token for multiple transactions, Mendoza wrote. In addition to guessing a token using brute force methods, a hacker could jam the transaction and force Samsung Pay to generate a new token, which he or she could then steal.

The entire process could be completed with little more than a Raspberry Pi and a device called a MagSpoof, which acts as a jammer to confuse a nearby payment terminal, according to Mendoza. Unlike competing contactless payment apps from Apple and Android, Samsung Pay can use the same magnetic strips found in plastic credit cards to complete a transaction.

Samsung did not deny that a hacker could steal its digital tokens, but the company explained that stolen tokens alone are not sufficient to make an unauthorized charge. Samsung Pay checks each transaction against a counter, which tracks the sequence of transactions and determines whether an attempted purchase is older than the last one approved.

The app also requires a secret key, called a cryptogram, in addition to a valid counter check and digital token. These requirements make it unlikely that Mendoza's approach would work in practice. Even if it did, the Samsung Pay app alerts users after each transaction, Samsung explained, making it easy for them to spot and dispute fraudulent charges with their bank.

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    Here is the New Boot Animation for Moto Phones

    ” We aren’t sure if that means future phones, as in, phones coming months from now or if the current crop of newish phones (like the Moto Z family) will see an update to this.In the past, while still under Google leadership, Motorola frequently update the boot animations on phones like the original Moto X.
  • 5300c769af79e

    Awesome tech you can’t buy yet: Astrocams, boombox art, and more

    A Touch of Bass — Boombox art, with built in speakers Remember Case of Bass?After more than a year of making badass suitcase boomboxes, they’re finally back with a new product: A Touch of Bass.
  • 5300c769af79e

    Oracle's DB Dilemma

    Everybody likes to use the mainframe as an example of how markets shrivel, and the Seeking Alpha article does too.) At any rate, Seeking Alpha's point is that the relational DB is old, it doesn't do some things that NoSQL does, and relational therefore is in trouble.
  • 5300c769af79e

    Microsoft and Intel's PC Revolution Is Called 'Project Evo'

    The first area Project Evo aims to improve is communication through Cortana.Rather than catering to a person sitting at a PC, Microsoft and Intel will expand that to allow Cortana to function across an entire room (think Amazon Echo, but Microsoft's take using a PC).