Become a fan of Slashdot on Facebook


Forgot your password?
Security The Almighty Buck Privacy Software Wireless Networking Hardware Technology

Samsung Pay Hack Lets Attackers Make Fraudulent Payments ( 16

jmcbain writes: The Verge reports that a security researcher at DefCon outlined a number of attacks targeting Samsung Pay, Samsung's digital payment system that runs on their smartphones. According to the article, the attack "[focuses] on intercepting or fabricating payment tokens -- codes generated by the user's smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. [They expire 24 hours after being generated and are single-use only.]" In a response, Samsung said that "in certain scenarios an attacker could skim a user's payment token and make a fraudulent purchase with their card," but that "the attacker must be physically close to the target while they are making a legitimate purchase."
This discussion has been archived. No new comments can be posted.

Samsung Pay Hack Lets Attackers Make Fraudulent Payments

Comments Filter:
  • but... (Score:2, Insightful)

    by Anonymous Coward

    "the attacker must be physically close to the target while they are making a legitimate purchase."

    s/the attacker/a skimming device planted by the attacker/

    Since when has this ever been a hurdle for fraudsters?

    • Actually, they can be a fair distance away and skim the transaction using the likes of a Yagi-Uda antenna. The very high frequencies the transactional data is transferred at it very small antennas have very high gains. In theory you could sit outside of a door in the comfort of your air conditioned car pointing the antenna at the register and snoop the traffic as it happens. From there...
  • by Anonymous Coward

    Forgive me if I'm being stupid, but I don't understand the summary. A single use token indicates that it can only be used once. Presumably the token is equivalent to the functionality performed by the chips on new cards. I assume the token has to be presented in order for the transaction to ever be approved. That should prevent it for ever being used for another transaction. If so, how is intercepting this token actually a vulnerability of it's already used at the time it's transmitted and would be intercep

    • by Anonymous Coward

      According to the article:

      "Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user's smartphone. This would require a user to authenticate â" but not complete â" a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay."

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson