Samsung Pay is a mobile payment system developed by the Samsung company in response to Apple Pay, launched by Apple almost a year before the Korean platform, but unfortunately the rush to bring this system to the market comes with a major security problem that can leave users without money.
More specifically, Samsung Pay has a vulnerability in the transaction tokenization system, allowing hackers to predict how they will be generated by the platform and use them in other terminals to generate fraudulent transactions and steal users' money.
Samsung Pay, like Apple Pay, uses tokens to secure and anonymize transactions made using mobile terminals, but unfortunately this system is poorly thought out, so hackers can exploit it to steal users' money without them realizing what is happening happens until he checks his bank transactions.
Samsung Pay allows money to be stolen
Basically, Samsung pay generates a token the first time a credit card is used to make a mobile payment, and although that token is hard to guess, the next ones generated by the system are much easier to predict, and hackers can do it themselves to use them in order to make fraudulent transactions.
Salvador Mendoza found that the tokenization process is limited and the sequencing of the tokens can be predicted. ... he explained that the tokenization process gets weaker after the app generates the first token from a specific card, meaning that there's a greater chance that future tokens could be predicted. Those tokens can be stolen and used in other hardware to make fraudulent transactions — effectively a new form of card skimming — without restrictions.
In order for the hack to be carried out, the security researcher who discovered the vulnerability and demonstrated it, produced a gadget capable of stealing the payment tokens at the moment they are made, the procedure itself not being so complicated as it seems at first sight.
Mendoza built a contraption that straps to his forearm and wirelessly steals magnetic secure transmission (known as an MST) when he picks up someone's phone, which can then email the token to his inbox, so he can compile it into another phone. Or, you can hide that hardware to a legitimate card-reading machine like you would with a traditional card skimmer.
Unfortunately for users, the problem can only be solved by the Samsung company by updating Samsung Pay, and if a token has been stolen by a hacker, only deleting the card from the Samsung Pay system can solve the problem.
