Reported Samsung Pay flaw lets thieves remotely collect credit card credentials
Samsung Pay's legacy point-of-sale system compatibility mode may be insecure, as a token theft and remote use vulnerability was demonstrated by a security researcher at the Black Hat conference.
The potential security flaw, demonstrated by security analyst Salvador Mendoza at the Black Hat security conference, relies on Samsung's "magnetic secure transmission" central to Samsung Pay's ability to work at existing magnetic stripe point-of-sale terminals. The data that is sent to a regular point of sale terminal by an Android phone using Samsung Pay to emulate a magnetic stripe scan appears to be collectible at short ranges by specialty hardware.
A proof of concept magnetic hardware capture device was demonstrated by Mendoza at the conference. His prototype build was strapped to his arm, and forwarded intercepted tokens to an email address. The prototype is also sufficiently small to be hidden inside a point of sale terminal.
Following the hack being demonstrated by Mendoza and a remote colleague making a purchase with magnetic spoofing hardware from a pilfered token transmitted to Mexico, Samsung denied the researcher's claim in a very brief statement.
Mendoza also postulates that data collected can be utilized to make educated guesses at a parent credit card number over time, but did not demonstrate that ability.
In the denial amplified on Tuesday, Samsung reiterated that while it is possible to intercept a token and use it for a payment, the conditions that have to be met are very specific, and hard to orchestrate. As with Apple Pay, a token generated by the pay system is single-use. In addition to the magnetic capture requirements, the attacker would have to use the token before the originating transaction completes.
Users also get immediate notification of a Samsung Pay transaction, so a fraudulent token capture and use could be blocked
immediately by the authorized user.
Despite all the denials, Samsung claims that the skimming attack which results in a token relay to a third party is a "known issue" and is an "acceptable" potential risk, given the difficulty of executing the attack.
Fraud with Apple Pay has been in the other direction, with Apple Pay once the venue for fraud, instead of customer data stolen as a result of use of it. Around the launch of Apple's service, criminals used stolen credit card data from other breaches, and entered the data into Apple Pay, for payments in stores.
Apple Pay does not have a legacy point of sale terminal compatibility mode, and is relying instead in part on mandated shifts to credit card processing machines in the U.S. to assist with vendor acceptance. Furthermore, since launch in 2015, data source authentication by Apple Pay issuing banks has tightened.
The potential security flaw, demonstrated by security analyst Salvador Mendoza at the Black Hat security conference, relies on Samsung's "magnetic secure transmission" central to Samsung Pay's ability to work at existing magnetic stripe point-of-sale terminals. The data that is sent to a regular point of sale terminal by an Android phone using Samsung Pay to emulate a magnetic stripe scan appears to be collectible at short ranges by specialty hardware.
A proof of concept magnetic hardware capture device was demonstrated by Mendoza at the conference. His prototype build was strapped to his arm, and forwarded intercepted tokens to an email address. The prototype is also sufficiently small to be hidden inside a point of sale terminal.
Following the hack being demonstrated by Mendoza and a remote colleague making a purchase with magnetic spoofing hardware from a pilfered token transmitted to Mexico, Samsung denied the researcher's claim in a very brief statement.
Mendoza also postulates that data collected can be utilized to make educated guesses at a parent credit card number over time, but did not demonstrate that ability.
In the denial amplified on Tuesday, Samsung reiterated that while it is possible to intercept a token and use it for a payment, the conditions that have to be met are very specific, and hard to orchestrate. As with Apple Pay, a token generated by the pay system is single-use. In addition to the magnetic capture requirements, the attacker would have to use the token before the originating transaction completes.
Users also get immediate notification of a Samsung Pay transaction, so a fraudulent token capture and use could be blocked
immediately by the authorized user.
Despite all the denials, Samsung claims that the skimming attack which results in a token relay to a third party is a "known issue" and is an "acceptable" potential risk, given the difficulty of executing the attack.
Fraud with Apple Pay has been in the other direction, with Apple Pay once the venue for fraud, instead of customer data stolen as a result of use of it. Around the launch of Apple's service, criminals used stolen credit card data from other breaches, and entered the data into Apple Pay, for payments in stores.
Apple Pay does not have a legacy point of sale terminal compatibility mode, and is relying instead in part on mandated shifts to credit card processing machines in the U.S. to assist with vendor acceptance. Furthermore, since launch in 2015, data source authentication by Apple Pay issuing banks has tightened.
Comments
Merchants should not allow it and Samsung should discontinue the feature.
If a thief steals an unlocked Samsung phone, they could pay for a lot of stuff since no authentication is needed at the POS.
True
p.s. Why do yo have Chibi Robi as your pic?
That said, even though NFC is inarguably more secure, I doubt anyone of us has been able to forego carrying physIcal cards*, so the threat of skimmers is still an issue, which are already exist and would still be usable with that aspect of Samsung Pay.
* I can make trips without a physical card knowing that I'll be able to use Apple Pay at certain locations, and I probably use Apple Pay a good 10–20x a week, but we are still far from that tipping point of a certain percentage of a population being able to leave all physical cards are home, and therefore truly reaching a new level of personal protection against thieves.
This wouldn't be a problem if NFC mobile payment was widely supported in USA & UK - which it is not.
Also trying to downplay the flaw as requiring hardware that is "extremely difficult" to build is entirely ignorant to the very real and very frequent problem of card skimming. The hardware required for this hack is not dissimilar to existing skimming devices - in fact it's novel because it can now be achieved wirelessly.
Samsung's response is also a problem, you can't sweep a security flaw under the rug and expect organised crime to ignore it.
Why was Samsung's response a problem? This so called security flaw quite obviously is extremely difficult to exploit and there will never be a single exploit using this in the wild, ever. It is obviously completely impractical to impliment, given the degree of technical difficulty and the extremely low reward even if it were successful would provide no motive whatsoever.
Samsung is known for ignoring flaws and does not let consumers update there phones unless you buy a new one. Apple pay is secure.
If the HW, mobile OS, financial institution are jeopardized then the security of the payment can be jeopardized, even with the token, referential card number, and small radius of NFC's magnetic loop. Additionally, if you through in an intermediary, like Google did with the launch of Google Wallet, Android Pay's predecessor, you then include another method by which consumer security can be jeopardized.
Going beyond that, even if the transaction itself hasn't been hacked, it's still possible for retailers, apps, and/or hackers to get information on locations, stores, amounts per transactions, times and dates when a transaction may occur, and other data that can be used to manipulate the user, which is another way in which a system can be made insecure.
Wow, things went south pretty damn fast. :-(
Mac observer has picked this up and thinks that for the most part that it isn't a problem… then went on to suggest why it might be a problem.
http://www.macobserver.com/columns-opinions/editorial/samsung-pay-transaction-tokens-can-intercepted-its-cool/
Since we already have card skimmers for ATMs, I don't think making one for magnetic readers would be all that difficult or expensive. But as Mr Chaffin points out, what if the device could use the token to create its own fraudulent transaction before the real reader? What would happen then? I'm guessing that the terminal would reject the genuine payment, and the customer and the sales bod would just try again. I don't think creating such a device would be that easy, but it would certainly be worth it to your tech-savvy fraudster.
And the screaming desperation of our two resident Samsung supporters doesn't exactly fill me with confidence, and neither did Samsung's response:
This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay.
'Potential risk acceptable'. Mmmm. Not sure that I'm happy with the people with a vested interest being the judge of what is an acceptable risk. Still, I like the way they shifted the responsibility back on to the card networks and issuers (and since this is using the old insecure technology they invented then the responsibility does lie with them). If this does turn out to be a problem then that could prove to be a very smart move.
For a skimmer to work, a magnetic strip device has to be in place at the terminal. This means that all swiped cards as well as Samsung Pay users when using the feature they purchased from LoopPay. Skimmers are simple and cheap.
The alternative is to target ONLY Android-based devices, and then ONLY those that are made by Samsung, and then ONLY those that less than a couple years old, and ONLY when they use Samsung Pay, and ONLY when it's the LoopPay feature.
How is it more dangerous than swiping a card? How is it dangerous when a retailer makes the choice to stop accepting swipes?
If the only way to prevent this attack is to try to reverse the charges after receiving a notification, that means these customers become more expensive for their banks to serve.
Not to mention that people will probably find a way to turn off or ignore these notifications once they become annoying (which they are) and then delaying their response to the fraud will make it even more expensive for the banks, as some of the funds will become a lot less recoverable.
We already have a huge issue in the US with banks not doing business in poor neighborhoods. This is why some politicians have considered whether post offices could offer financial services (which is clever but impractical). Hopefully the frequency of fraud won't explode overnight, but factors like this are not going to help banks move into those neighborhoods. Withholding legitimate financial services leaves these people to fend for themselves with check cashing establishments and interpersonal loans that incur a proportionally higher cost in both dollars and time and energy and emotional willpower.
I suspect that Samsung executives realized a lot of this and decided to pull the trigger anyway so they could attempt to utilize the legacy hardware to "pull ahead" of Apple Pay. That's the kind of cultural issue that will affect a business and its customers in the long run. Maybe not right away, but if you continually leech value out of the lives of your customers, through security nightmares, bugs that waste time and aggravate and confuse, and products that don't last (or receive updates), you're doing little more than slowly kill the planet. A lot of the responsibility for these phones remaining popular should be laid at the feet of journalists who strive to maintain a semblance of parity so that their own work will be a reference point for customers to make decisions with.