Anyone get the "Sorry, we don't accept Digital Payments".

[Kirk Maluo]

Had this happen to me at Sees Candies and a local restaurant. Do they feel like the system is hackable or something?

I wonder how easier it is to hack a Samsung Phone to spit out fraudulent MST credit card information. Assuming you had a line on fraudulent credit card numbers. I know the Samsung Pay system is solid, but not so much the actual hardware.

 

[SpookDroid]

The hardware is very secure as well, but even if you could hack it, without the one-time token generated by the Payment system, the transaction would be pointless. That's the beauty of these systems, that even if the information is stolen from the vendor you payed in, the token you used was a one-time only thing, so it won't be valid for any other transaction ever.

Also, let them know (if you have the patience for it) that it's not Apple Pay or an NFC payment, that it's a different thing and that it'll work. Unless the clerk is cranky, they'll let you try it. I've used it as Sees Candies a few times and although the first time I used it at Starbucks (my bad, truly, for having to reach behind the cashier's screen to pay) the girl screamed that I had hacked her terminal and wanted to call the cops on me, they do eventually budge and get that you CAN use your phone (and now your watch) to pay for things.

 

[jratliff]

The old post office worker was impressed when I used it there. I said "just hit credit, it will work" lol. No one there had seen it yet either.

 

[Kirk Maluo]

The hardware is very secure as well, but even if you could hack it, without the one-time token generated by the Payment system, the transaction would be pointless. That's the beauty of these systems, that even if the information is stolen from the vendor you payed in, the token you used was a one-time only thing, so it won't be valid for any other transaction ever.

Also, let them know (if you have the patience for it) that it's not Apple Pay or an NFC payment, that it's a different thing and that it'll work. Unless the clerk is cranky, they'll let you try it. I've used it as Sees Candies a few times and although the first time I used it at Starbucks (my bad, truly, for having to reach behind the cashier's screen to pay) the girl screamed that I had hacked her terminal and wanted to call the cops on me, they do eventually budge and get that you CAN use your phone (and now your watch) to pay for things.

Seems like theoretically you could use the mag transmitter to transmit a stolen credit card number to the store terminal. Unless the transmitter is encrypted or something.

 

[jratliff]

https://youtu.be/QMR2JiH_ymU

This guy captures a Samsung pay token and uses it on a MagSpoof device. Pretty interesting.

 

[SpookDroid]

Seems like theoretically you could use the mag transmitter to transmit a stolen credit card number to the store terminal. Unless the transmitter is encrypted or something.

It is encrypted, just like many NFC/RFID transmissions nowadays. Plus there's the whole 'random token' thing, and since that's generated by the SP back-end, even if the phone is signal is cloned, the token wouldn't be able to be correctly generated (although there is a paper out there claiming that SP's tokenization isn't 'random enough' and could be potentially predicted).

 

[Kirk Maluo]

https://youtu.be/QMR2JiH_ymU

This guy captures a Samsung pay token and uses it on a MagSpoof device. Pretty interesting.

So I can see the fear that some banks have. You don't even need too clone stolen credit cards anymore. You can just make a $2 transmitting device and pretend you're using your Samsung Pay.

 

[SpookDroid]

So I can see the fear that some banks have. You don't even need too clone stolen credit cards anymore. You can just make a $2 transmitting device and pretend you're using your Samsung Pay.

A few things to note from this video, though. This assumes you're not using the token generated by the system while the attacker cloned the signal and decrypted the transmission information (this, unfortunately, it's a vulnerability of the magnetic stripe readers, as obviously they were never meant to use wireless transmissions, unlike NFC payments), so that's what they're using to copy your information. The token, once stolen, is also valid for a single transaction, so this wouldn't be something the attacker could abuse for several or recurring charges. Also, he wouldn't be able to get away with using this kind of device on a normal terminal with a clerk watching. And finally, this video is a year old (almost); Samsung has already patched this vulnerability and the token life is shortened to a few minutes if I'm not mistaken, and also 'cancelled' as soon as the app is closed or a new token is generated.

 

[Kirk Maluo]

A few things to note from this video, though. This assumes you're not using the token generated by the system while the attacker cloned the signal and decrypted the transmission information (this, unfortunately, it's a vulnerability of the magnetic stripe readers, as obviously they were never meant to use wireless transmissions, unlike NFC payments), so that's what they're using to copy your information. The token, once stolen, is also valid for a single transaction, so this wouldn't be something the attacker could abuse for several or recurring charges. Also, he wouldn't be able to get away with using this kind of device on a normal terminal with a clerk watching. And finally, this video is a year old (almost); Samsung has already patched this vulnerability and the token life is shortened to a few minutes if I'm not mistaken, and also 'cancelled' as soon as the app is closed or a new token is generated.

Minus the tokens though, it seems like someone can buy stolen credit card numbers, program them in succession on that transmitter, and pretend to use Samsung Pay.

 

[SpookDroid]

Nope. Without the token, the Samsung Pay information is worthless. And even if you get the token, once it expires, is cancelled, or has been used, it's also worthless (which is why if you pay with SP and the store gets a breach and they get all the data from them, hackers wouldn't be able to use your information for any other purchases).

Also, not sure, but the transmitter the guy is using might be using the NFC reader on the vending machine, so those would only work on contactless payment terminals, not magnetic stripe readers.

 

[jratliff]

I think kirk meant could someone spoof a regular credit card swipe with the magspoof decice? Not having anything to do with samsung pay except using the name to disguise what you were doing.

I'm curious to learn more like what information comes out when you actually swipe a card? Would you have to skim a card or could it be programed just from the number into that magnetic spoof device?

I agree Samsung pay is safer because you don't have your actual account info hanging out there for a future data breach and it has a time limited life.

 

[SpookDroid]

Ah! OK. Well, yup, the info is there... But since magnetic stripe readers don't transmit anything wirelessly, you'd have to swipe the card to copy it. BUT if you have the magnetic terminal data protocol/format and you have a stolen credit card information (it's not only the number these days, you'd have to have the whole information inside the card, including the magnetic stripe ID, which is a little like how the tokens work for phone payment systems), yeah, it's totally possible to emulate and transmit the data like you see in the video. The only thing I don't know, like I said, is if the transmitter in the video is emulating NFC payments or MST ones (I'm leaning towards the first, but who knows).

Also, this is why RFID-blocking wallets are still popular (some cards already used 'contactless' payments via RFID), and could be copied since they had the same information as the magnetic stripe, just encrypted in a wireless signal.

 

[Kirk Maluo]

Yeah, I'm pretty sure when you buy stolen numbers, it actually comes from cards that were actually swiped with skimmers. So it has all the info. Just wondering if if this is starting to give Samsung Pay and others a bad name.

 

[jratliff]

I wanted to find a way to use my phone to transmit my badge id information to a swipe badge reader at work for access control! But I haven't found where anyone has been able to use their Samsung pay for anything else.

I could see a risk where say you're at a restaurant and the person swiping your card adds it to a dummy Samsung pay account (or any other phone pay) and then goes and uses that like a stolen card until you check your email or realize it has happened. Like skimming a card in a new way. They could even just take a picture and add the card later so it didn't bring suspicion.

 

[SpookDroid]

I wanted to find a way to use my phone to transmit my badge id information to a swipe badge reader at work for access control! But I haven't found where anyone has been able to use their Samsung pay for anything else.

I could see a risk where say you're at a restaurant and the person swiping your card adds it to a dummy Samsung pay account (or any other phone pay) and then goes and uses that like a stolen card until you check your email or realize it has happened. Like skimming a card in a new way. They could even just take a picture and add the card later so it didn't bring suspicion.

I wanted the same app haha, but while technically possible, it is somewhat restricted in the OS (there are apps that allow you to read data off the card, though, albeit the encrypted parts still remain encrypted lest you have the 'key').

As for taking the picture of the card, that wouldn't work as you need the verification numbers on the back, you get an e-mail confirming the card has been added, and most banks now require a two-step verification before actually adding the card (a call, a code via text, e-mail, and in some annoying cases, having to log into their apps and authorizing it there).

 

[jratliff]

Re: Anyone get the "Sorry, we don't accept Digital Payments".

Oh yeah oops I forgot about the text message code! I just remembered thinking how easy it was to add my card to my girlfriends phone, I did have to enter a code though.

I used a credit card from Samsung pay on my id badge reader at work, it did recognize it and just said "wrong facility".

 

[SpookDroid]

Yeah, RFID and NFC are technically compatible and can prompt action from a reader, but without the proper transmission protocol and data, obviously, that's all it is: a valid signal with invalid data.

Fun fact: Correctly positioned, if NFC is enabled on your phone, you can trigger the RFID alarms from department stores with overpowered transmitter arches. You have to get it just right, but totally possible.