00:00:00.000-->00:00:04.771
All right everybody. Give
everybody a roundeous applause
for Salvador Mendoza about

00:00:04.771-->00:00:09.776
Samsung Pay Tokenized Numbers:
Flaws and Issues. [applause]
Thank you. It's a pleasure to be

00:00:16.116-->00:00:20.354
in DEF CON this year, uh, and
I'm going to talk about Samsung
Pay Tokenized Numbers: Flaws and

00:00:20.354-->00:00:25.359
Issues. Also we going to talk
about [inaudible] laser beams
today. Basically have twenty

00:00:28.695-->00:00:33.300
minutes to explain nearly one
year of my research and we are
going to start with agenda for

00:00:33.300-->00:00:38.305
today. We're going to talk about
terminology, analysing tokenized
numbers, MST and NFC protocols,

00:00:41.341-->00:00:46.380
token phases and status, of
course: flaws and issues. Then
to use an scenario, see I'm

00:00:46.380-->00:00:52.052
going to introduce two tools for
today. Um, at the end I'm going
to talk about international

00:00:52.052-->00:00:57.057
tokens. For terminology I'm
going to use NFC for Near Field
Communication. MST for Magnetic

00:00:59.393-->00:01:04.631
Secure Transmission protocol.
RTA for Reset Token Service,
which mainly are the protocol,

00:01:04.631-->00:01:10.504
for the tokenization process.
Tokenized numbers for the SIP
process or the primary account

00:01:10.504-->00:01:16.310
PIN number, which we'll play
with surrogate value. In this
case it's going to be a token.

00:01:16.310-->00:01:22.215
And the token is a voucher to
interchange for goods or
services. TSP for Token Service

00:01:22.215-->00:01:27.220
Provider, who is in charge for
tokenization process. And PAN
for Primary Account Number. So,

00:01:30.757-->00:01:36.129
let's start analysing tokenized
numbers. Basically when you're
going to make a payment Samsung

00:01:36.129-->00:01:42.869
Pay is going to create three
tracks. It's like when you swipe
your card, but this time all the

00:01:42.869-->00:01:49.276
tracks are the same values. Why?
Basically because it doesn't
matter which track the terminal

00:01:49.276-->00:01:54.281
is going to detect, if it
detects any one the transaction
can go through. If we analyse

00:01:57.384-->00:02:03.490
the last twenty digits of the
token, we need to analyse like,
they are different counters.

00:02:03.490-->00:02:10.230
Basically the first four digits
are for it's new expiration date
for the new virtual credit card,

00:02:10.230-->00:02:15.869
the next three digits is for the
new service code. The service
code is very important because,

00:02:15.869-->00:02:20.741
for example, you have a pin and
chip protection card and you add
it to Samsung Pay. Samsung Pay

00:02:20.741-->00:02:25.112
is going to replace this value
so then you don't have the
necessity to have the physical

00:02:25.112-->00:02:31.518
card with you to make a payment.
The last counter is a
transaction range which plays

00:02:31.518-->00:02:38.358
the surrogate role. Um, the next
counter is the transaction ID
which mainly increase plus one

00:02:38.358-->00:02:44.031
every time you use Samsung Pay.
And the last three digits are
random numbers to fill the

00:02:44.031-->00:02:49.036
American Banking Association
format or track true, this case.
Offline and online mode.

00:02:52.472-->00:02:57.644
Basically when you are in
offline mode, the counter in the
middle of the token doesn't

00:02:57.644-->00:03:02.582
change but when Samsung Pay
connects to internet, this
counter increases every, like,

00:03:04.584-->00:03:09.589
three or four transactions. One
of the problems Samsung Pay is,
that you can make payments in

00:03:12.993-->00:03:19.800
airplane mode. This means that
Samsung Pay doesn't have a full
control of the tokens. Let's

00:03:19.800-->00:03:24.805
talk a little bit about the
token phases of status. Like any
old transactions Samsung Pay has

00:03:28.008-->00:03:32.412
different, uh, the tokens of
Samsung Pay has different
status, like proactive, pending,

00:03:32.412-->00:03:37.417
disposed, enroll, expire after a
period of time and suspended.
These help, basically, uh,

00:03:44.424-->00:03:50.097
according to VISA developer
centre, help a tokenization
process or provider update the

00:03:50.097-->00:03:55.102
tokens. In it's a deprovisioned
token ID and also ip key in a
JSON format. Please keep in mind

00:03:58.038-->00:04:02.976
this is slide we're going to use
in the next, the next uh,
example. So the valid structure

00:04:06.646-->00:04:12.819
very important, we - I found
more than twenty databases in
the codes of Samsung Pay, some

00:04:12.819-->00:04:17.824
of them are for connections for
certificates, encryption
directories and files. I'm going

00:04:22.295-->00:04:28.168
to take a look at the structure
of them. On them, on the bottom
of the database - CVP chan

00:04:28.168-->00:04:34.341
encrypt database - we see the
structure of this database. When
we see the structure of this

00:04:34.341-->00:04:39.346
database we can found some of
the, of the fields that we need
to update a token. This means,

00:04:43.483-->00:04:48.488
if a attacker could find a way,
to the, to the crypt or to get
these provisioned token IDs he

00:04:51.291-->00:04:56.296
will be able to update a token
all the time, even, for example,
it's expired, or disposal. Maybe

00:04:59.032-->00:05:03.970
you are thinking this database
are encrypted but what I found
was the encryption for the

00:05:09.042-->00:05:14.047
databases is using a static
passwords. Basically we, we see
this method, the encrypt method,

00:05:17.350-->00:05:21.655
but it's not just the database
manager also an auth methods
call this function to encrypt

00:05:21.655-->00:05:26.660
the data. Continue we found some
issues when I was able to, to
make a, to make a backup of the

00:05:31.531-->00:05:37.370
Samsung Pay databases and in the
card table I found the token
expiration date was in blank,

00:05:37.370-->00:05:43.343
specifically in that field also
the ip retried four times,
implements, implements timestamp

00:05:43.343-->00:05:48.348
format which expire over twenty
four hours. So basically the
main problem, problem here is if

00:05:52.018-->00:05:57.524
Samsung Pay generates a token,
but you don't use this token to
make a purchase that token is

00:05:57.524-->00:06:02.529
still alive, or active. For
example if I ask you "can you
show me how Samsung Pay works?"

00:06:02.529-->00:06:08.735
and you show me, but you're not
making a transaction, actually.
But that token's still alive

00:06:08.735-->00:06:14.474
when you close and open this
application again you're going
to get a new token but the last

00:06:14.474-->00:06:19.479
token's still alive. Continuing
with flaws and issues basically
you are suspicious, that

00:06:22.182-->00:06:27.621
somewhere, someone has captured
your token, and delete your
virtual credit card and you add

00:06:27.621-->00:06:32.626
it again. The last digits of the
new virtual credit card they are
going to change the out stand,

00:06:35.562-->00:06:40.567
the last four digits basically.
I make a log, adding and
deleting the card so, let's go

00:06:47.707-->00:06:53.313
to interesting part. The end
user scenarios. We are going to
talk about reversing the decrypt

00:06:53.313-->00:06:58.551
and encrypt function, social
engineering the jamming the
signals and guessing the next

00:06:58.551-->00:07:03.490
token. We talk disabled to the
keep to reverse this functions.
You are able to get, I think,

00:07:09.462-->00:07:15.535
may, main, almost all, almost
cus, almost the, the, the
information for all the

00:07:15.535-->00:07:20.540
encryption function because they
use for many methods. Let's talk
about social method basically I

00:07:24.778-->00:07:29.783
may, made a, a tool, it's not
very zero, little power boost
credit card reader. Basically

00:07:32.118-->00:07:37.123
around fifty dollars and now to
show you an example how it
works. So, like the example I

00:07:47.133-->00:07:53.473
told you you have this, this
tool on, wear in my hand I can
capture tokens when I ask you

00:07:53.473-->00:07:58.478
how Samsung Pay worked. And this
tool send this token by email.
So I can use that token using

00:08:01.681-->00:08:06.686
another tool. Like mag, MagSpoof
tool from Samy Kamkar. Thank you
Sammy. So basically when I've

00:08:11.424-->00:08:16.429
got the token I compile, and it
go to the, uh, grocery machine
and I try to use that token

00:08:22.168-->00:08:27.173
[laughter] [applause] so I
select the product and it's
authorising, and it's ready

00:08:36.182-->00:08:41.187
[applause]. Thank you. Now,
let's talk about JamPay. JamPay
is a jammer it runs three

00:08:44.491-->00:08:50.397
services. One is for a jammer,
to jam the terminal, another is
for the email service. And the

00:08:50.397-->00:08:55.869
aother. Is for, you can see a
token in the web browser.
Basically it's running a Python

00:08:55.869-->00:09:00.807
web server. So for example,
let's imagine you are in Vegas
right? [laughter]. So we are in

00:09:06.546-->00:09:11.551
Vegas. So basically I found a
machine and I use my jammer so
the main point here the jammer

00:09:15.588-->00:09:20.894
is still sending magnetic, MST
signals, Magnetic Secure
Transmission signals when a user

00:09:20.894-->00:09:26.933
comes to make a transaction the
terminal is not, anymore, in
input mode so the jammer is

00:09:26.933-->00:09:31.938
going to detect the MST signal
and is then going to send it to
me via email. I got the token,

00:09:34.641-->00:09:39.646
so after that I use a MagSpoof,
again: Sammy you are my hero,
and I make a transition,

00:09:42.849-->00:09:47.854
transaction after that, I'm
going to select a drink, and
vending... so [applause] that's

00:10:00.266-->00:10:05.271
an simple example I have
[applause] I was thinking about
to, to guess a token, but

00:10:09.442-->00:10:14.447
basically I forgot my card, card
reader. Sorry about that. So
let's talk about international

00:10:17.350-->00:10:22.355
Samsung Pay tokens. I assume
that, the, the virtual credit
card was going, was going to use

00:10:24.858-->00:10:29.162
the same restrictions like a
physical card. Like for example
when you are going, going to

00:10:29.162-->00:10:35.301
another country you basically
call your bank and tell them:
"hey, I'm going to be in..",

00:10:35.301-->00:10:40.306
let's say "Mexico". So the bank
take care of it and you can use
that card in that country. What

00:10:43.476-->00:10:50.216
I found interesting was I sent
one of my tokens to Mexico to
see some of my friends can make

00:10:50.216-->00:10:55.221
a purchase, and how can I have
restrictions the bank is going
to have. So basically it was

00:10:57.323-->00:11:02.262
July 8, I sent one of my tokens
to one guy in Mexico and he is
trying to charge me twenty

00:11:04.531-->00:11:09.536
Mexican pesos basically. So the
transaction went through. They
ask for a signature, that's not

00:11:22.081-->00:11:27.153
my signature, but, [laughter]
who cares. So the transaction
went through and I got the

00:11:27.153-->00:11:32.625
confirmation from Samsung Pay.
You have spend twenty Mexican
pesos even when Samsung Pay is

00:11:32.625-->00:11:37.630
not in Mexico, yet. [applause].
So the take-aways for today:
Samsung Pay has some levels of

00:11:48.041-->00:11:54.147
security, but it is a fact they
can be targets for malicious
attacks. Samsung Pay, Samsung

00:11:54.147-->00:11:59.219
Pay has some limitations in the
tokenization process which could
affect customer security and

00:11:59.219-->00:12:04.157
finally, tokens generates by
Samsung Pay could be used in
another hardware. Please, if you

00:12:06.192-->00:12:11.197
have any questions. This is your
time to ask me [applause] And to
say thank you to all this guys

00:12:26.479-->00:12:27.981
[laughter], really appreciate
your help.