(Image: CNET/CBS Interactive)
In security, how a company responds to a potential flaw matters. Samsung may learn that lesson as it dueled on social media after a researcher revealed a flaw in Samsung Pay.
The Korean electronics giant has disputed a security researcher’s findings, who last week at the Black Hat security and hacking conference detailed what he described as “limitations” in the company’s mobile payments system, Samsung Pay.
Salvador Mendoza, a security researcher who found the flaw, told ZDNet prior to his talk that the process that Samsung uses to scramble and tokenize credit and debit card data before it reaches a payments terminal can be intercepted. Worst case scenario is that they can be predicted and actively generated. In a proof-of-concept video, he demonstrated that these tokens can be stolen and used in other hardware to make one-time fraudulent transactions — even in countries and regions where Samsung Pay isn’t available.
In other words, this is credit card skimming on a whole new level.
Mendoza’s demonstration was impressive and fully documented in his presentation slides and in his white paper. In order to present at Black Hat, a talk must undergo a strict vetting process by the Black Hat review board, which is made up of dozens of industry experts and veteran security professionals.
Mendoza’s talk passed that bar. But this isn’t an easy hack to carry out. It’s deeply technical, and requires skill and a social engineering effort, which adds an additional layer of complexity. It’s what some would call a “one percent hack,” which makes it unlikely to happen but it nevertheless could still be used by an advanced or persistent attacker.
But here’s the catch. If you’re Samsung it’s unclear how secure is secure enough? What’s the feasibility of an attack? You could also argue that Samsung would require a product overhaul to close the books on Mendoza’s proof-of-concept.
In any case, a flaw is still a flaw and how a company responds when a security researcher comes forward with a flaw or vulnerability — even a “one percent hack” — can speak volumes.
Samsung didn’t take the news so well.
“We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today,” said one statement.
The company followed by sending out a barrage of hundreds of tweets pointing to the statement, trying to self-correct the narrative, calling the research “inaccurate.” One senior Samsung executive called the research a “false accusation” against the company. His main quibble, echoing a statement by the company, was that the research allegedly mischaracterized the algorithm.
(Image: Salvador Mendoza/YouTube)
Buried in its “press guidance” that it issued alongside its statements, Samsung didn’t dispute the key takeaways from the research. The company said that an attacker would find it “extremely difficult” to carry out the hack but it admitted that the vulnerability was known prior to Samsung Pay’s release.
“This skimming attack model has been a known issue reviewed by the card networks and Samsung Pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack,” said the company.
Two proof-of-concept videos detailing the flaws coupled with a sufficient level of scrutiny and vetting by the security community is enough to put the onus on Samsung to disprove the claims rather than leap on a public relations endeavor.
Or as one security researcher told me privately this afternoon, “it’s a pity that Samsung’s going for security-by-public-denial.”
Samsung spokesperson Danielle Meister Cohen told me last week that, “if at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”
When approached with security research detailing flaws in your product, it’s best to collaborate with the researcher, be proactive, debate if needed, and determine a resolution. Responses on social media and issuing statements are perceived as feet-stamping.
Samsung did not respond to any further emails requesting comment following the story’s publication.