Researcher finds a way to make fraudulent transactions via Samsung Pay, but Samsung denies any issues

Aug 9, 2016 06:25 GMT  ·  By

Samsung has issued a statement calling recent reports that highlighted a security flaw in its Samsung Pay service "inaccurate."

The multiple media reports are based on the Black Hat 2016 presentation of security researcher Salvador Mendoza, who detailed a method of extracting tokens from the Samsung Pay application and using them to carry out fraudulent transactions.

Attackers can extract payment tokens from the Samsung Pay app

Mendoza's research focuses on how the Samsung Pay app generates and uses tokens to authorize and perform financial transactions. He says that an attacker could predict future tokens based on past tokens the app generated.

He also explains that the app generates tokens that linger around for at least 24 hours if the user fails to use them, even after the user generates a second token to authorize other transactions.

An attacker can extract these tokens and use them themselves, making financial transactions that will be billed to the victim's payment cards.

A small device can be used to steal tokens, and another to use them

To prove his work, Mendoza created a tiny device that can be attached to someone's wrist, under theor clothes, and extract Samsung Pay tokens from the app, while it generates them. The way this device can be used is limited only by an attacker's imagination.

Once a crook manages to steal Samsung Pay tokens from a victim's phone, they can use a modified version of MagSpoof to carry out fraudulent transactions.

MagSpoof is a credit card magnetic strip emulator. Since Samsung has designed these tokens to mimic credit cards but without exposing the user's credit card data, MagSpoof could feed them to a contactless card payment system and execute a financial transaction.

If all of this is hard to believe, Mendoza has put the code to extract tokens on GitHub, and even shot a video stealing a Samsung Pay token from his phone, and then using a MagSpoof device to make a payment. The video is embedded below.

Samsung Pay app uses hardcoded passwords to secure sensitive data

Besides the two token security flaws, Mendoza also reported that Samsung used static passwords to encrypt the app's files and database, which he was able to reverse-engineer and exposed the sensitive data found inside them.

"The databases are very sensitive," the researcher wrote in his research paper. "They contain delicate information to update token status, server connections instructions and validation certificates."

For its part, Samsung has called Mendoza's work an "inaccurate report." Mendoza told Softpedia that Samsung's security team knew of the issues since May 12, 2016. "We were sharing info/bugs since that day until I sent my Black Hat presentation to them," the researcher says. "Basically they had all the info before anyone." You can read the company's entire statement in full below the video.

UPDATE [August 9, 2016]: The researcher recorded another YouTube video showing that the Samsung Pay flaw is still present today, in response to Samsung's "inaccurate report" statement. His latest video has been added below the original PoC video.

Samsung Statement