As if exploding phones wasn't a big and costly enough problem for Samsung, an independent research has found a second vulnerability in Samsung Pay that could allow attackers to intercept payment data.
Salvatore Mendoza spotted an NFC flaw, similar to an MST flaw he spotted earlier this year and demonstrated at Black Hat, which would allow an attacker to steal an authentication token after a customer approves a purchase but before the purchase is completed, according to an Oct. 11 blog post.
“You can detect the NFC tags and implement them in another device,” Mendoza said in a video demonstration of the attack. The attack allowed the researcher to make a purchase on a separate phone using the credentials intercepted from the target device.
Samsung referred to the initial vulnerability as being "extremely difficult" to carry out in its press guidance, but it admitted knowledge of the flaw prior to the Samsung Pay release. Samsung has yet to respond to SCMagazine.com's request for comment.
