Every year the Black Hat conference highlights and analyzes security vulnerabilities in common services public awareness and a little infamy. On Sunday, a researcher released a paper criticizing the point-of-service purchasing system Samsung Pay for perceived weakness in its algorithm that could be exploited by hackers. In its security blog, the Korean tech giant refuted the claims, insisting that its math is different than described in the report and therefore still sound.
Samsung Pay works kind of like bank card chips: slide a phone over a reader synced up to the service and it broadcasts a "token" number inspired by but not exactly like that of the linked financial account. Unlike a magnetic strip on the back of your typical bank plastic, which delivers exactly the sixteen digits on the front and therefore can be reused infinitely, these "tokenized" systems are only created for that single transaction.
Of course, the account and "token" numbers have to be linked somehow, or systems wouldn't know where to charge purchases. That's where the algorithm comes in, a formula that generates new temporary numbers that is, users trust, too complex for hackers to crack. In his paper, Black Hat researcher Salvador Mendoza lays out how he believes this system works, including how the one-time "tokens" are generated, and lays out three scenarios for hackers to break into that algorithm: use a magnetic card spoofer to generate tokens, jam a transaction to force another temporary code to be generated while the hacker uses the first and use a social engineering tool to capture tokens and transmit them by email.
Naturally, Samsung denies that its algorithm works how Mendoza described it. Its security blog post points to a technology FAQ illustrating how its system protects against hackers: first, with its Knox software-and-hardware identity verification, and second, with TrustZone processor architecture built specifically to run sensitive processes separately from typical ones.
The FAQ doesn't say that some of these methods, like jamming the signal and "skimming" unused tokens, is impossible, just extremely unlikely. To work, it would have to meet several requirements: the hacker would have to be physically near the purchase and jam the user before approving it. Even then, the Samsung Pay user would be alerted when the scammer used the token. This is a known issue, the FAQ notes, but given that every purchase runs through both the tech giant's and the bank's fraud analysis algorithm, they deemed it extremely unlikely and therefore acceptable.
Update: Samsung has issued a statement, included below:
Recent reports implying that Samsung Pay is flawed are simply not true. Samsung Pay uses a multi-layer security system that works in tandem with the security systems of our partners to detect any emerging threats. Samsung Pay is safe, secure and consumers can be assured that there is no known risk associated to using our payment service."