Samsung talks the Pay vulnerability, says it's extremely difficult to pull off
Samsung Pay was under fire after a security researcher Salvador Mendoza presented a way to attack the payment service at the security conference Defcon.
The attack works by intercepting the unique payment token that is generated with every transaction using the service. Mendoza demonstrated how tokens can be intercepted by using a wrist-mounted device.
Because the tokens are for single-use only and expire 24 hours after being generated, the attack requires the user to authenticate using a fingerprint, without actually completing the mobile payment.
Check out the 5-minute video, in which Mendoza demonstrates and explains how the vulnerability works.
Furthermore, Mendoza is claiming that he noticed patterns in the way Samsung generates said payment tokens. He explains that a hacker could hypothetically generate fake tokens of their own and steal money this way.
Naturally, Samsung was quick to respond to such claims and in a blog post explained that " Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials."
What Samsung doesn't deny, however, that it is possible for an attacker to skim user's payment token and take advantage of them.
However the company notes that this is "extremely difficult" to pull off, since the attacker must be physically close to the target at the very moment they are making a purchase. Thus the risk has been categorized as an "acceptable" one, according to Samsung and the payment firms it works with.
Source • Source (2) | Via
Related
Reader comments
- refuses to update
- 14 Aug 2016
- qka
Id like to give my "two cents"...or is it tencent now? Inflation...go figure. Anyway, I am a college graduate...twice over btw...and am highly intellegent. THAT'S exactly why I DON'T UPDATE. Considering the charactter flaws that have come upon th...
- Akinaro
- 10 Aug 2016
- J8}
Samsung is not alone here, most of today new paying methods are made in really weird and lame way(like 24h delay before it expire). No one care that they actually manage our money, they advertise it as a cool feature that you just "use" like it wou...
- viveksubhash
- 10 Aug 2016
- utN
i don't understand...usual payment gateway instances expire in 3-5 min...24hrs???what are we dealing with?