Salvador Mendoza - Samsung Pay: Tokenized Numbers, Flaws and Issues

 
Share
 

Archived series ("Manual" status)

When? This feed was archived on October 15, 2017 15:05 (2y ago). Last successful fetch was on September 03, 2017 08:23 (2y ago)

Why? Manual status. This feed was manually archived (happens for various reasons).

What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.

Manage episode 167145069 series 1319537
By DEF CON. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Materials:
https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Salvador-Mendoza-Samsung-Pay-Tokenized-Numbers-WP.pdf
https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Salvador-Mendoza-Samsung-Pay-Tokenized-Numbers.pdf

Samsung Pay: Tokenized Numbers, Flaws and Issues
Salvador Mendoza Student & Researcher

Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity for its customers.
This app is a complex mechanism which has some limitations relating security. Using random tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal a token from a Samsung Pay device and use it without restrictions.
Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card.
How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security.
What are the odds to guess the next tokenized number knowing the previous one?
Salvador Mendoza is a college student & researcher.

??

@netxing?
Keybase.io: http://keybase.io/salvador

104 episodes