Alright everybody, give a round of applause for Salvador Mendoza about Samsung Pay
tokenized numbers, flaws and issues. Thank you. It's a pleasure to be in DEF CON
this year and I'm going to talk about Samsung Pay tokenized numbers, flaws and issues. Also
we want to talk about cocoa dry oats and laser beams today. Basically I have 20 minutes to
explain almost one year of my research and we are going to start with the agenda for today.
We're going to talk about terminology, analyzing tokenized numbers, MST and NFC protocols,
token phases or status, of course, flaws and issues. Dangerous scenarios, so I'm going to
introduce two tools for today. At the end I'm going to talk about international tokens. For
terminology, I'm going to use NFC for network communication, MST for marketing, NFC for
magnetic security transmission protocol, DTS for token service, which mainly are the
protocol for the tokenization process. Tokenized numbers, where it's a process where the primary
account number is replaced with surrogate value. In this case it's going to be a token.
And the token is a venture to interchange for goods or services. DSP for token service
provider, who's in charge for the tokenization process. And PAN for primary account number.
So let's start analyzing tokenized numbers. Basically when you're going to make a payment,
Samsung Pay is going to create three tracks. It's like when you swipe your card. But this time all
the tracks are the same values. Why? Basically because it doesn't matter which track the
terminal is going to detect. If it detects anyone, the transaction can go through. We analyze the
last 20 digits of the token.
We need to analyze like they are different encounters. Basically the first four digits are for
its new expiration date for the new virtual credit card. The last three digits are for new
service code. The service code is very important because, for example, you have a PIN and SIM
protection card and you add it to Samsung Pay. Samsung Pay is going to replace this value so you
don't have the necessity to have a physical card with you to make a payment. The last three
digits are random numbers to fill the American Banking Association format or track through in this
case.
Offline and online mode. Basically when you are on offline mode, the counter in the middle of the
token doesn't change.
But when Samsung Pay connects to the Internet, this counter increases every like three or four
transactions. One of the problems with Samsung Pay is that you can make payments in airplane mode.
This means that Samsung Pay doesn't have a full control of the tokens. Let's talk a little bit
about the token basis or status. Like any other transactions, Samsung Pay has different
status, like for active, pending, disposed, enrolled, expired after a period of time, unsuspended.
This is how, according to Visa Developer Center, how a tokenization process or provider updates the
tokens. It needs a V provision token ID and also an IP key in a Johnson format. Please keep in mind
this is live that we are going to use.
And then the next example.
So the file structure is very important. I found more than 20 databases in the Gulf of Samsung Pay.
Some of them are for connections, for certificates, encryption, directories and files.
I'm going to take a look at the structure of the, at the bottom of the database.
CBP, JAN and Crypt database to see the structure of this database.
If we see the structure of this database, we can find some of the fields that we need to update a token.
This means if an attacker could find a way to the crypt or to get these provision token IDs,
he would be able to update a token all the time.
Even, for example, it's expired.
Or disposal.
Maybe you are thinking these databases are very encrypted.
But what I found was that encryption for databases using static passwords.
Basically, we see this method, the encrypt method, but it's not yet the database manager.
Also, another method called this function to encrypt the data.
Continue with flaws and issues.
When I was able to make a backup of the Samsung Pay databases,
in the cart table, I found that token expiration date was in blank.
Specifically, that field.
Also, that view retries part-time, implements timestamp format,
which expire over 24 hours.
So, basically, the main problem here is if Samsung Pay generated a token,
but you don't use this token to make a purchase,
that token is still alive or active.
For example, if I ask you,
can you show me how Samsung Pay works?
And you show me, but you're not making a transaction, actually.
But that token is still alive.
When you close this application and open again,
you are going to get a new token.
But the last token is still alive.
Continue with flaws and issues.
Basically, you are suspicious that somebody captured your token.
I delete your virtual credit card.
And you add it again.
The last digits of the new virtual credit card,
they're going to change in the last four digits, basically.
I make a lock.
I am deleting the card.
So, let's go to the interesting part.
Dangerous scenarios.
We're going to talk about reversing the encryption and decryption function,
social engineering,
using MST signals,
and guessing the next token.
When an attacker is able to reverse these functions,
he will be able to get,
I think,
almost the information for all the encryption functions,
because they are used for many methods.
Let's talk about social methods.
Basically,
I made a tool using RedBerry Zero,
power boost,
critical reader,
basically around $50.
I'm going to show you an example of how it works.
So, like the example that I told you,
you have this tool on my hand.
I can capture tokens
when I ask you how Samsung Pay works.
And this tool sends these tokens by email.
So, I can use that token using another tool,
like Max Spoof tool from Sami Kamkar.
Thank you, Sami.
So, basically, when I got the token,
I compile,
and I go to the grocery machine,
and I try to use that token.
So, I select the product,
and it's authorizing,
and it's vending.
Thank you.
Now, let's talk about JamPay.
JamPay is a jammer.
It runs three services.
One is for a jammer,
to jam the terminal.
Another is for the email service.
And another is for,
you can see the tokens in the web browser.
Basically, it's running a Python web server.
It's an example.
Let's imagine that you're in Vegas.
Right?
So, we're in Vegas.
So, basically, I found a machine,
and I use my jammer.
So, the main point here,
the jammer starts sending magnetic,
MST signals,
magnetic security signals.
When a user comes to make a transaction,
the terminal is not anymore in input mode.
So, the jammer is going to detect the MST signal,
and they're going to send it to me by email.
I got the token.
So, after that, I use a max spoof.
Again, Sammy, you're my hero.
I make a transaction.
After that, I'm going to select the drink.
And I'm vending.
So, basically, that's the example I have.
I was thinking about to get the token,
but basically, I forgot my crowd reader.
Sorry about that.
So, let's talk about international Samsung Pay tokens.
I assume,
that the virtual credit card
was going to use the same restrictions
like a physical card.
Like, for example,
when you're going to another country,
you basically call your bank
and tell them,
hey, I'm going to be in,
let's say, Mexico.
So, the bank takes care of it,
and you can use that card in that country.
What I found interesting was,
I sent one of my tokens to Mexico
to see if some of my friends
can make a purchase,
and how kind of restrictions
the bank is going to have.
So, basically, it was July 8th.
I sent one of my tokens to one guy in Mexico.
And he's trying to charge me
20 Mexican pesos, basically.
So, the transaction went through.
He asked for his signature.
That's not my signature,
but who cares?
So, the transaction went through,
and I got the confirmation from Samsung Pay.
You have spent 20 Mexican pesos
even when Samsung Pay is not in Mexico yet.
So, the takeaways for today.
Samsung Pay has some levels of security.
But it's a fact that could be targeted
for malicious attacks.
Samsung Pay has some limitations
in the tokenization process,
which could affect customer security.
And finally, tokens generated by Samsung Pay
could be used in another hardware.
Please, if you have any questions,
this is your time to ask me.
I need to say thank you to all these guys.
Really appreciate your help.