Samsung responded to claims made by a security researcher that its contactless payment service has vulnerabilities.

Speaking at last week’s Black Hat and DEF CON events, Salvador Mendoza said he had hacked Samsung Pay’s tokenisation system, which is central to making the service secure.

Mendoza’s method involved intercepting or imitating payment tokens, which are substitutes for sending actual credit or debit card data between the smartphone and point of sale terminal. Tokens expire 24 hours after being generated, and are single use only.

The attack has potential implications for other payment services, in addition to Samsung Pay, which use a similar set up.

In a white paper, Mendoza claimed to have discerned patterns in how tokens are generated so, in theory, a hacker could create their own. “If an attacker analyses the tokens very carefully, he/she could implement a guessing method, a brute force attack or a tokens’ dictionary attack,” he wrote.

Also, in another scenario outlined by Mendoza, an attacker could jam a transaction so Samsung Pay is forced to generate a new token. Meanwhile, the old token is intercepted, and held, by the attacker who then uses it to make a payment.

Mendoza explained a scenario whereby a user could be tricked by a hacker asking them to show how Samsung Pay works. Using a hidden, wrist-based device the hacker captures the token. And then the attacker uses it to make a purchase at a vending machine.

Samsung’s response
Initially, The Register pointed out, Samsung responded to reports that the payment service is flawed as “simply not true”. After Mendoza stuck to his guns, the company amended the statement on its security blog.

“Keeping payment information safe is a top priority for Samsung Pay which is why Samsung Pay is built with highly advanced security features,” it said.

“It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms,” it added.

The company claimed Samsung Pay is safer than payment cards “because it transmits one time use data that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.”

In the FAQs accompanying the statement, the company addresses the possibility of a hacker capturing a token on a separate device. It says such a process is “extremely unlikely” but does not dismiss it entirely.

“In order for this ‘token skimming’ to work, multiple difficult conditions must be met,” it said. For instance, it points out the hacker with a concealed device must be “in very close proximity” with the smartphone making the payment, which makes a capture more difficult.

And even if the fraudster did capture the signal, they would have to ensure the original payment signal from the legitimate user does not reach the card issuer for approval. Otherwise the captured signal would be made useless.

Ensuring this happens may require the fraudster to jam the connection between the phone and POS terminal, or complete the transaction really quickly before the legitimate signal reaches the terminal and the card issuer.

“Because users typically permit the cryptogram generation just before their payment at the POS, these conditions would be very difficult to meet in practice,” it said.