Samsung Pay in Mexico? Nope, just a security threat
There’s more security news in the wake of Def Con 24 and it involves how Samsung Pay handles its mobile payments transactions. One Salvador Mendoza has found a way to steal authentication tokens and use them in a spoofing device to commit fraud.
Mendoza details the process in a video:
The problem comes down to the tokens, which are created each time someone activates the transaction UI and do not expire until about a day later. These tokens, if collected by a fake reader or something similar, can be used by miscreants to make authentic purchases on the Samsung Pay user’s dime. No need to steal information, just a token.
As a test, Mendoza sent a Samsung Pay token to a friend in Mexico. That person was able to load the token onto spoofing hardware and then make a purchase with that token. Samsung Pay is not active in Mexico.
Samsung released a general statement in regards to inquiry saying that “if at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue” and assured users of the technology’s security.