Researcher Finds Samsung Pay Hack That Allows Attackers to Make Fraudulent Payments

You may want to hold off on using Samsung Pay for the time being. A research paper has surfaced arguing that a security flaw in the mobile banking application could allow thieves to remotely collect credit card information.

While there is no evidence that this has actually occurred yet, security researcher Salvador Mendoza presented a paper at the Black Hat security conference pointing to a potential weakness in Samsung Pay’s reliance on “magnetic secure transmission.”

What Samsung Pay does is essentially emulate a credit card swipe by transmitting a temporary “token” to the magnetic card swipe terminals that are typically found at retailers. The generated tokens are proxies for your credit card number, but they are ephemeral and good for a single transaction only.

Mendoza has postulated that these tokens, which are tied to users’ bank accounts, are generated by an algorithm that can be hacked or spoofed. For instance, he advances three hypothetical scenarios in which thieves can crack the algorithm, Engadget reports. For instance, he conjectures that attackers can make a spoofing algorithm that generates their own usable tokens and also raises the possibility that they can build wrist-mounted devices that nab the token as it is being generated. Mendoza finally theorizes that attackers could somehow jam the transaction midway through to prevent the token from being used, so that they can use it for themselves.

Samsung is arguing that Mendoza, who has not actually seen the algorithm which is being kept secret for obvious security reasons, has guessed wrong and that its algorithm does not actually function in the way he presents it. That being said, Samsung has admitted that it is theoretically possible for attackers to swipe the token using devices similar to the wrist-mounted contraptions that Mendoza describes, The Verge reports. The difficulty is that the attackers would have to be physically close to the Samsung Pay user as he or she is making a purchase, jam the transmission, and use the token to make a purchase before the original transaction is completed.

Mendoza has admitted that every credit card or debit card is actually susceptible to this sort of attack. Samsung argues that it had known of this vulnerability previously and deemed it to be an acceptable amount of risk.