Samsung Pay tokens explained in wake of Def Con exploit
Shortly after security researcher Salvador Mendoza revealed that Samsung Pay authentication tokens could be intercepted and used by fraudsters to make purchases on their victims’ dime, Samsung has responded with a blog post and several FAQ answers.
First of all, the company addressed the three things that get sent to vendors for each Samsung Pay transaction.
- The token contains unique, one-time card credentials. It’s a surrogate for real card data.
- A transaction counter that makes sure the token only gets used once and not for multiple purchases.
- A cryptogram as a verification key to indicate that all the payment data has not been tampered with.
Samsung wrote that the token and cryptogram are needed to make purchases, so just a token alone shouldn’t get payments down. Theoretically, if black hats can get both and get the user to authenticate the initial skimming “purchase,” a fraudulent purchase is possible, but acquiring both would need a sales terminal, a way to jam the signal between the terminal and the card issuer to make sure that the latter cannot immediately mediate any payment dispute that may take place.
“In summary, Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the blog post reads.
Samsung and its partner card issuers have labeled this an “acceptable” risk, given how complex an operation skimming a token would actually be. That said, with all of this information going public, that statement could be tempting fate.
Remember that while your card information may be safe, one guy or gal on the street could simply be using your money to get away with a big ticket purchase that will be difficult to refund to all parties involved. Catching a credit card copper in this fashion is going to be difficult.