An update to the Samsung Mobile Security blog confirms that it is possible for a third party to intercept Samsung Pay tokens and use them to make wireless payments. The vulnerability to Samsung Pay was demonstrated by Salvador Mendoza during a Black Hat talk in Las Vegas on August 4. While the vulnerability does exist, the update on the Samsung Mobile Security blog does refute the claim that Samsung Pay uses a specified algorithm shared by Mendoza to “encrypt payment credentials or generate cryptograms.”
This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack. The card networks and issuers also run their fraud prevention algorithms on all payment attempts, including Samsung Pay. This serves as another layer of protection against token relay.
Fortunately, there is a silver lining. Credit card details stored in Samsung Pay are not at risk and the intercepted Samsung Pay tokens can only be used one time within 24 hours of when it was generated. First, a Samsung Pay user has to initiate a payment with their device in order for the payment token to be generated. Once the token has been generated, it must be intercepted with a skimming device that it located no more than a few inches away from your smartphone. Since payment tokens can only be used for one transaction, the skimmed token can only be used if you do not complete your Samsung Pay transaction. Once your transaction has been completed, the Samsung Pay token is completely useless.
Intercepting Samsung Pay tokens may seem like a cumbersome way for a thief of maybe having the possibility of completing one wireless transaction, but’s actually a lot easier than you might think.
A simple social engineering scam with someone posing as a sales representative next to a vending machine in a public place. The scammer would offer to explain Samsung Pay and how it can be used for wireless payments for those who pass by. With a token skimmer hidden in his sleeve, the scammer would be able to intercept the Samsung Pay tokens as he demo’s the payment system on the user’s phone. To ensure that the token is not used to complete the user’s transaction on the phone, the scammer could close out of Samsung Pay and ask the user to walk through the process on their own. Using this method, a good scammer could secure a few dozen Samsung Pay tokens within an hour or two.
As with regular credit cards, Samsung Pay users should use common sense to keep their payment information secure. If you’re approached by someone who offers to show you how to use Samsung Pay on your phone, turn and walk the other way.