Saying your technology is unhackable (unlike everything that has ever come before) is at best hopelessly optimistic and at worst criminally misleading. The best you can say is "We've implemented protections against every known and hypothesised attack and are continuosly improving our defences as new exploits come to the fore." Of course that's not as peppy as "We're unhackable!" but it's also not as stupid.
Samsung: Hackers can't pwn our NFC payment kit. No way, nuh-uh, not true (Well, OK, maybe)
A war of words has broken out after a security researcher claimed last week that Samsung's contactless mobile payment system is vulnerable to skimming and spoofing attacks. In talks at both the Black Hat and DEF CON security conferences, held last week in Las Vegas, Salvador Mendoza claimed that he was able to intercept a …
COMMENTS
-
Wednesday 10th August 2016 00:51 GMT Andrew Jones 2
You can't argue with a working proof of concept video.....
So, they can claim he is wrong as much as they want, the video is pretty conclusive proof - and makes you immediately question the decision to generate tokens as soon as app activity is started and NOT invalidate them within a short space of time. 24 hours!! Seriously! Why?! I can't be the only one who thinks 30 seconds is more than generous - after all it doesn't matter how long the actual transaction takes, once the token has been transmitted that should be it. That video is pretty scary stuff actually because removing the whole compiling process from the equation - as I'd imagine this would run on kit that dynamically replaced the hardcoded token in the code on each successful skim - this looks like stealing tokens from people would be ridiculously easy - especially with some of the long range modifications. You'd be surprised how many people open their payment app while standing in the queue - just to make sure it's working, doesn't crash, is using the correct card etc so everything should be straightforward at the point they are actually paying.
-
Wednesday 10th August 2016 06:18 GMT Anonymous Coward
Re: You can't argue with a working proof of concept video.....
While 30 seconds may be a bit quick - some shops in remote places might have a dialup line that is activated to process payments, or an overloaded satellite link - 24 hours is definitely way way way too long. The really criminal thing though is the three digits....seriously?
I'm not sure how much flexibility there is in the EMV protocol, I sure hope the three digits thing isn't part of the spec! Seems to me that if the payment terminal created a one time key, passed that to the phone, then the phone encrypted the transaction using that key you'd have something that couldn't possibly be replayed to any other payment terminal. Obviously it is feasible to do that, but sometimes doing things the right way gets compromised due to wanting to drive down cost...i.e. making the payment terminals cheaper.
Anyone know if there's an EMV spec available for download anywhere, or is it one of those things that's top secret unless you've paid big bucks to be a member of the club? Apple has a lengthy security document about overall iOS security but it doesn't delve into the internals of how Apple Pay works. Not sure if that's in another document, or if Apple isn't permitted to give away the dirty details of the EMV protocols. It would be interesting to compare how they are doing things to how Samsung did them.
-
Wednesday 10th August 2016 08:07 GMT Prst. V.Jeltz
Re: You can't argue with a working proof of concept video.....
" The second part is a counter that increments on every transaction in an attempt to thwart replay attacks"
You gotta wonder how much of those 3 digits is this counter?
Maybe the initial token is bigger and they do a 'digit sum' thing unitil it gets down to 3
-
Wednesday 10th August 2016 08:09 GMT Mike 125
Re: You can't argue with a working proof of concept video.....
@DougS
>>but sometimes doing things the right way gets compromised due to wanting to >>drive down cost...i.e. making the payment terminals cheaper.
Yes, and also compromised by inappropriate speed optimisations: an extra 13 digits to create a properly safe MAC, all going over NFC, could be seen as taking a few ms too many. Usability always trumps good security.
This is fun - it's a fair bet Apple use the same system.
-
-