Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Threat Management, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

On heels of exploding phone recall, NFC flaw lets attackers intercept Samsung Pay data

Share

As if exploding phones wasn't a big and costly enough problem for Samsung, an independent research has found a second vulnerability in Samsung Pay that could allow attackers to intercept payment data.

Salvatore Mendoza spotted an NFC flaw, similar to an MST flaw he spotted earlier this year and demonstrated at Black Hat, which would allow an attacker to steal an authentication token after a customer approves a purchase but before the purchase is completed, according to an Oct. 11 blog post.    

“You can detect the NFC tags and implement them in another device,” Mendoza said in a video demonstration of the attack. The attack allowed the researcher to make a purchase on a separate phone using the credentials intercepted from the target device.

Samsung referred to the initial vulnerability as being "extremely difficult" to carry out in its press guidance, but it admitted knowledge of the flaw prior to the Samsung Pay release. Samsung has yet to respond to SCMagazine.com's request for comment. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.