Claims that the credit card information used to make purchases via Samsung Pay, the simple payment service provided by Samsung Electronics, can be easily hacked and captured are being raised at home and abroad one after another.
At the computer security conference “Black Hat,” held in the Las Vegas, U.S., on August 4 (local time), a security researcher Salvador Mendoza demonstrated stealing the credit card information from a purchase made by Samsung Pay with a simple device, compiling it into another device and using it few hours later to make a fraudulent transactions.
The hacking demonstration used the principle of Samsung Pay’s payment system. Samsung Pay stores the credit card information in the smartphones, and payments can made by touching the smartphones on the card-reader instead of the real credit card. The “one-time payment information token” similar to that created when using a real credit is made by the financial companies and sent in an electromagnetic form to the device.
In the demonstration, Mendoza activated Samsung Pay in a smartphone and stole the token, the electromagnetic payment information, with a special device he carried. He took the advantage of the fact that the one-time payment information, token, provided by a financial company usually, is extinguished right after processing a payment, but when Samsung Pay is aborted without a payment being processed, the token provided by some financial company remains available for maximum 24 hours.
In the upcoming security conference being held in Texas, U.S. on August 10 (local time), a Korean research team is to announce the hacking vulnerability of Samsung Pay. According to Choi Dae-seon, a professor at Kongju National University, a hacker successively stole a credit card information within a 2m diameter way from a Samsung Pay user making a purchase, and made a fraudulent payment, Professor Choi said it was done in a way that the payment information was tapped using a special device, and the hacker makes a fraudulent payment before the credit card holder’s original payment is processed.
Samsung Electronics reportedly responded by saying, “The research team is arguing they succeeded in hacking (the credit card information) in an unrealistic experiment environment, adding, “It is almost impossible to hack (the credit card information) in real life.”
Samsung Pay service is available in total eight countries, including South Korea, the US, and China.