Samsung said that reports of a vulnerability in Samsung Pay mobile payments were “simply not true” – but also admitted that token skimming was, in fact, possible but difficult enough that the potential risk was acceptable.
Security researcher Salvador Mendoza demonstrated a flaw in Samsung Pay at Black Hat last week, in which the tokens used to secure transactions could be predicted, and used to authorise fraudulent payments.
Samsung responded with a statement saying, “Samsung Pay is safe and secure, and consumers can be assured that there is no known risk associated to using our payment service.”
But then, in a separate, more detailed document, Samsung admitted that it is possible to capture a token, but said that it was extremely difficult to do so.
“This skimming attack model has been a known issue reviewed by the card networks and Samsung Pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack,” Samsung said.
The company did not respond to a request for additional information. Mendoza posted a follow-up video on Tuesday, again demonstrating the vulnerability.
“I made this video without cutting or editing nothing from it making a transaction using MagSpoof,” he said in a note posted along with the video. MagSpoof is an open-source application that lets users spoof magnetic stripe codes. “According to Samsung statement this transaction had to be declined. But it went through.”
In particular, the fact that an attack is difficult is not a particular barrier in a world where criminals routinely package and sell ready-to-go exploits to one another.
“An attacker has to prepare a complete scenario to be successful,” he said. “But that does not mean that it is complex or expensive. Basically, each tool that I made costs around $50. So many people with computer science knowledge could make something similar.”