Security researchers have recently found a flaw in the Samsung Pay application which, allegedly, could help cybercriminals wirelessly steal users` credit card credentials.
The exploit hasn’t been documented in the wild yet but, last week, it was presented at a Black Hat meeting in Las Vegas. At the meeting the researcher Salvador Mendoza explained that Samsung Pay prevents credit card information from being stolen by translating it into “tokens”. And yet, there are some limitations in the tokenization process which make it easily predictable.
Mendoza said that he managed to take advantage of the token predictions and create a token himself. Moreover, he claims that he was also able to send this token to a friends of his in Mexico where the Samsung Pay app is not even available yet. Despite that, Mendoza`s collaborator was able to use the token to make a purchase via the Samsung Pay app with magnetic spoofing hardware.
At this point Samsung hasn’t confirmed the vulnerability and there is no clear evidence that the app is actually being leveraged for credit card stealing purposes. However, when Samsung was informed about the Mendoza`s concerns they stated:
“If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”
They also reminded that Samsung Pay uses some highly advanced security features and that the Samsung Knox security platform is taking care that the purchases made via this app be perfectly safe.
Anyway, despite this kind of calming statement, it would be a good idea to keep the Mendoza`s experiment in mind.