Samsung talks the Pay vulnerability, says it's extremely difficult to pull off

Samsung Pay was under fire after a security researcher Salvador Mendoza presented a way to attack the payment service at the security conference Defcon.

The attack works by intercepting the unique payment token that is generated with every transaction using the service. Mendoza demonstrated how tokens can be intercepted by using a wrist-mounted device.

Because the tokens are for single-use only and expire 24 hours after being generated, the attack requires the user to authenticate using a fingerprint, without actually completing the mobile payment.

Check out the 5-minute video, in which Mendoza demonstrates and explains how the vulnerability works.

Furthermore, Mendoza is claiming that he noticed patterns in the way Samsung generates said payment tokens. He explains that a hacker could hypothetically generate fake tokens of their own and steal money this way.

Naturally, Samsung was quick to respond to such claims and in a blog post explained that " Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials."

What Samsung doesn't deny, however, that it is possible for an attacker to skim user's payment token and take advantage of them.

However the company notes that this is "extremely difficult" to pull off, since the attacker must be physically close to the target at the very moment they are making a purchase. Thus the risk has been categorized as an "acceptable" one, according to Samsung and the payment firms it works with.

Source • Source (2) | Via