Samsung Pay is one of the most popular mobile payment services in the world, and technically speaking it should also be one of the most secure solutions in the market. Nevertheless, no system is perfect and as readers might recall, a couple of months ago in August, security researcher Salvador Mendoza seemed to have discovered a security flaw in Samsung Pay, which could, in theory, allow attackers to exploit an issue in Samsung's Magnetic Secure Transmission (MST) technology and gather credit card data into tokens. Now, mister Salvador Mendoza claims to have discovered a second vulnerability in Samsung's mobile payment solution, this time exploiting a flaw in NFC communication.
Earlier in August after the first alleged security flaw has been discovered by Mendoza, Samsung issued a short statement ensuring Samsung Pay users that the platform is secure, and the company also shared a comprehensive document explaining how Samsung Pay and tokenization works. More recently, however, security researcher Salvador Mendoza claims to have found a second vulnerability in Samsung Pay, one that affects NFC transactions, which should technically be more secure than MST communications. As a quick reminder, Samsung Pay is the only mobile payment solution available in the world to make use of both MST and NFC technologies for secure payments. Now, Salvador Mendoza claims to have discovered an exploit that allows an interception application running on a smartphone in the vicinity of a checkout terminal to intercept an NFC transmission and steal the authentication token after the customer confirms the purchase with a fingerprint or PIN, and before the transaction is finalized. Once the NFC transmission is intercepted, the customer will be prompted with an error message, and after attempting to confirm the payment a second time, the system will create a new token valid for 24 hours which will then be intercepted and stolen by the aforementioned application.
Mendoza claims that he has tested the vulnerability at a grocery store, and adds that the issue could be exploited in other stores like BestBuy or Walmart just as well. Samsung has yet to issue a respond in regards to these findings, but it's worth noting that the first official statement released in August was brief, claiming that "recent reports implying that Samsung Pay is flawed are simply not true" and explaining that Samsung Pay "uses a multi-layer security system that works in tandem with the security systems of our partners to detect any emerging threats." Either way, Salvador Mendoza intends to demonstrate the new vulnerability at the Ekoparty security conference which will take place next week in Buenos Aires, Argentina.