This was bound to happen. Mobile payment services are on the rise and so is the hacker’s attention towards them. In a first of its sorts, a vulnerability has been discovered in the wildly popular Samsung pay service. This hack allows unauthorized personnel to steal information which can later be used to make fraudulent payments.
Fortunately, this vulnerability was discovered by a security researcher named as Salvador Mendoza. He demonstrated this hack on stage at a Black Hat talk in Vegas recently. According to Salvador, Samsung pay converts the card information into tokens to stop hackers from getting their hands on the sensitive information. These tokens are used for authorizing a purchase and they are valid for a single use within 24 hours.
However, the process of tokenization by Samsung pay isn’t sophisticated and thus, can be predicted. These predictions can further be used in generating new tokens which can authorize an unsanctioned payment. Salvador created one such token and sent it to a cross-border friend who lives in a country where Samsung pay services are not yet available.
But guess what, the faraway friend used the generated token to make a purchase with Samsung Pay app accompanied by magnetic spoofing hardware.
There is no proof yet that this technique has been used to make fraudulent purchases or steal sensitive information.
Samsung is neither confirming nor denying this hack but it has released a statement.
“If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”