The token-based payment system developed by Samsung called Samsung Pay is vulnerable to credit fraud as hackers can use the tokens generated to carry out transactions remotely, ZDNet reports.
Samsung Pay is a magnetic-based contactless system that was created in order to do away with the need for entering your credit card details anywhere. This system comes as a standard in some newer Samsung phones and works by means of translating credit card data into tokens.
However, a security researcher has highlighted a flaw in this mechanism, and if that is exploited then it can allow the hacker to carry out fraudulent transactions on a different phone.
The issue has been highlighted by Salvador Mendoza, who said that the sequence generated by the tokenization process can be predicted as it is quite limited. He explained that after the app has generated the first token for a specific card, future tokens for the same card are easier to predict because they are not as secure. If the tokens are then stolen, they can be used in any other device to carry out fake transactions. This is the newest form of credit card skimming.
Mendoza said that he had tested this finding by sending his friend, who was in Mexico, the token for his card. He said that despite the service not being available in Mexico his friend could carry out transactions from his card without any problem.
The central task in this fiasco is stealing the tokens. Mendoza has also demonstrated how that can be done. He built a contraption that fit on his arm and could steal magnetic secure transmission wirelessly whenever he would pick up somebody’s phone.
This contraption would then email the token to his inbox, which he can later compile on another phone. In Mendoza’s case, he loaded the token on an open-source magnetic stripe spoofer called MagSpoof and was able to carry out transactions.
Mendoza has warned that all kinds of cards from all banks can be exploited in this manner with the exception of gift cards. This is because Samsung replaces the signal with a barcode scanning in case of gift cards. As for Samsung, they have not made any comment on whether they will be looking into solving this issue.
They did issue a statement, though, saying that Samsung Pay has some of the most advanced technology in use currently, and if the company finds a potential vulnerability, it would do all it can to resolve it.