The apparent inertia mobile payments have presently may be altered once one of the leading expressed reasons for consumer reticence for adoption is overcome. Fears around the security of the mobile wallets have served as an anchor. The close examination of the authentication and transactional execution procedures may well serve to alleviate or dispel those fears for some. This article outlines no less than two complex and difficult ways circumvent the intrinsic security of the Samsung Pay scheme.
The attacks outlined by Mendo[n]za focus on intercepting or fabricating payment tokens — codes generated by the user’s smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. They expire 24 hours after being generated and are single-use only.
Mendoza outlined a number of attacks targeting this. In one scenario, a wrist-mounted device is used to skim tokens generated by the user’s smartphone. This would require a user to authenticate — but not complete — a mobile payment, with Mendoza suggesting that a hacker might trick the user by asking to see a demonstration of Samsung Pay.
In many ways, this security “flaw” is similar to that of cash. Should someone ask to see a bill that you have in your wallet and you hand it to them, there is a chance they will snatch it and use it to buy something.
In all seriousness, the analysis of the shortcomings of the security of Samsung Pay, and other mobile wallets, enable consumers to modify their behavior related to their use and accurately weigh the real risk involved. Finding ways to incent consumers to overcome their reluctance and expand their individual adoption of mobile payment schemes remains the key obstacle for mobile wallet providers, but addressing security concerns head on will also certainly help.
Overview by Joseph Walent, Senior Analyst, Emerging Technologies Advisory Service at Mercator Advisory Group
Read the full story here