back to article Samsung: Hackers can't pwn our NFC payment kit. No way, nuh-uh, not true (Well, OK, maybe)

A war of words has broken out after a security researcher claimed last week that Samsung's contactless mobile payment system is vulnerable to skimming and spoofing attacks. In talks at both the Black Hat and DEF CON security conferences, held last week in Las Vegas, Salvador Mendoza claimed that he was able to intercept a …

  1. Sebastian A

    Saying your technology is unhackable (unlike everything that has ever come before) is at best hopelessly optimistic and at worst criminally misleading. The best you can say is "We've implemented protections against every known and hypothesised attack and are continuosly improving our defences as new exploits come to the fore." Of course that's not as peppy as "We're unhackable!" but it's also not as stupid.

  2. Andrew Jones 2

    You can't argue with a working proof of concept video.....

    So, they can claim he is wrong as much as they want, the video is pretty conclusive proof - and makes you immediately question the decision to generate tokens as soon as app activity is started and NOT invalidate them within a short space of time. 24 hours!! Seriously! Why?! I can't be the only one who thinks 30 seconds is more than generous - after all it doesn't matter how long the actual transaction takes, once the token has been transmitted that should be it. That video is pretty scary stuff actually because removing the whole compiling process from the equation - as I'd imagine this would run on kit that dynamically replaced the hardcoded token in the code on each successful skim - this looks like stealing tokens from people would be ridiculously easy - especially with some of the long range modifications. You'd be surprised how many people open their payment app while standing in the queue - just to make sure it's working, doesn't crash, is using the correct card etc so everything should be straightforward at the point they are actually paying.

    1. DougS Silver badge

      Re: You can't argue with a working proof of concept video.....

      While 30 seconds may be a bit quick - some shops in remote places might have a dialup line that is activated to process payments, or an overloaded satellite link - 24 hours is definitely way way way too long. The really criminal thing though is the three digits....seriously?

      I'm not sure how much flexibility there is in the EMV protocol, I sure hope the three digits thing isn't part of the spec! Seems to me that if the payment terminal created a one time key, passed that to the phone, then the phone encrypted the transaction using that key you'd have something that couldn't possibly be replayed to any other payment terminal. Obviously it is feasible to do that, but sometimes doing things the right way gets compromised due to wanting to drive down cost...i.e. making the payment terminals cheaper.

      Anyone know if there's an EMV spec available for download anywhere, or is it one of those things that's top secret unless you've paid big bucks to be a member of the club? Apple has a lengthy security document about overall iOS security but it doesn't delve into the internals of how Apple Pay works. Not sure if that's in another document, or if Apple isn't permitted to give away the dirty details of the EMV protocols. It would be interesting to compare how they are doing things to how Samsung did them.

      1. Prst. V.Jeltz Silver badge

        Re: You can't argue with a working proof of concept video.....

        " The second part is a counter that increments on every transaction in an attempt to thwart replay attacks"

        You gotta wonder how much of those 3 digits is this counter?

        Maybe the initial token is bigger and they do a 'digit sum' thing unitil it gets down to 3

      2. Mike 125

        Re: You can't argue with a working proof of concept video.....

        @DougS

        >>but sometimes doing things the right way gets compromised due to wanting to >>drive down cost...i.e. making the payment terminals cheaper.

        Yes, and also compromised by inappropriate speed optimisations: an extra 13 digits to create a properly safe MAC, all going over NFC, could be seen as taking a few ms too many. Usability always trumps good security.

        This is fun - it's a fair bet Apple use the same system.

        1. DougS Silver badge

          Re: You can't argue with a working proof of concept video.....

          IMHO, the only reason Apple would use such a poorly designed and insecure system would be if the EMV spec left them no choice.

  3. Arctic fox
    Headmaster

    I am going to don my early modern English grammar nazi hat

    "The South Koreans doth protest too much, methinks".

    One South Korean doth protest too much, whilst two or more South Koreans do protest too much.

  4. Drefsab_UK

    was it just me or did the reporter not watch the video? I did not see any bottle of pepsi bought but instead a packet of crisps :P

    1. Anonymous Coward
      Anonymous Coward

      The video on the link is different from the one in the article.

  5. mrslappy

    Run for the Hills

    >>> "Keeping payment information safe is a top priority for Samsung Pay which is why Samsung Pay is built with highly advanced security features," it said.

    Whenever a company asserts that something is their "top priority" you know it's time to run for the hills.

    1. Fatman Silver badge
      Joke

      Re: Run for the Hills

      <quote>Whenever a company asserts that something is their "top priority" you know it's time to run for the hills that they are full of shit.</quote>

      There!!!

      FTFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019