U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in Samsung Pay could be exploited to remotely skim credit cards

The security expert Salvador Mendoza demonstrated that is it easy to steal Samsung Pay tokens and reuse them to make fraudulent purchases. The security researcher Salvador Mendoza has discovered a flaw in the Samsung Pay system that could be exploited by hackers to remotely skim credit cards. The attackers can steal Samsung Pay tokens and […]

A flaw in Samsung Pay could be exploited to remotely skim credit cards

The security expert Salvador Mendoza demonstrated that is it easy to steal Samsung Pay tokens and reuse them to make fraudulent purchases.

The security researcher Salvador Mendoza has discovered a flaw in the Samsung Pay system that could be exploited by hackers to remotely skim credit cards. The attackers can steal Samsung Pay tokens and use them in another device to make fraudulent transactions.

Samsung Pay is a contactless payment system that comes standard in many modern Samsung smartphones. The system relies on tokens that have been designed to securely include credit card data, but evidently something goes wrong.

The bug affects the tokenization process, it could allow attackers to predict the sequencing of the tokens.

Samsung pay hacking

Those tokens can be stolen by attackers and used in other hardware to make fraudulent transactions without any restrictions.

As a proof-of-concept, Mendoza sent a token to one of his friends in Mexico who would use it with magnetic spoofing hardware to buy something.

Below a video PoC of the hack:

Mendoza also explained that the theft of Samsung Pay can be very easy, said Mendoza.

“Mendoza built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someone’s phone, which can then email the token to his inbox, so he can compile it into another phone.” Wrote  Zack Whittaker for Zero Day.

“Or, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.”

In his PoC Mendoza loaded a token into the MagSpoof device, that is a tiny device that can spoof/emulate any magnetic stripe or credit card. The MagSpoof device was designed by the popular hacker Samy Kamkar (@SamyKamkar), it can work wirelessly, even on standard magstripe/credit card readers.

The tiny gadget dubbed MagSpoof is a credit card/magstripe spoofer and can be used also at non-wireless payment terminals, it is composed of a microcontroller, motor-driver, wire, a resistor, switch, LED, and a battery.

Mendoza confirmed that every credit card, debit card or prepaid card is vulnerable to his attack, meanwhile, gift cards are not impacted because Samsung Pay relies on a scanned barcode rather than a transmitted signal.

“Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,”  the Samsung spokesperson said.

“If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue,”

UPDATE from Samsung Pay August 8, 2016

Statement on the allegation concerning Samsung Pay security
On August 7, 2016 by Samsung Mobile Security
Keeping payment information safe is a top priority for Samsung Pay which is why Samsung Pay is built with highly advanced security features. It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms.

Samsung Pay is considered safer than payment cards because it transmits one time use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.
Frequently asked questions on this statement may be found here.

For additional information on Samsung Pay Security, please visit here.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Samsung Pay , hacking)