Payment technologies are in an unwelcome spotlight this month, as security researchers expose their weaknesses just as the products are winning a long-desired trust among mainstream consumers.
Even if these attacks are more theoretical than practical, the end result is an erosion of trust in the very technologies that are supposed to make the point of sale much safer for consumer card data.
"It is a big ridiculous that we keep having the same conversation around the need for strong authentication, especially in environments that protect payment data," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
A presentation at a recent Black Hat event in Las Vegas demonstrated the sequencing of Samsung Pay's protective tokens are predictable and progressively weaker. That allows tokens to be stolen and used in other hardware in an updated version of a skimming attack. In the Black Hat presentation, a researcher sent a token from the U.S. to acquaintances in Mexico — where Samsung Pay isn't supported — who found the token be usable through Samsung's Magnetic Secure Transmission method, which creates a wireless signal that simulates the use of a magstripe card.
Samsung did not return a request for comment by deadline. The news comes amid reports that mobile payments may be poised growth after years of lackluster performance, making it a poor time for bad publicity. Discover's
"It is more embarrassing than anything else for the folks over at Samsung Pay," Pascual said. "But I would be surprised if a fix didn't follow in short order. Better that a researcher finds it as opposed to a hardcore fraudster."
It's nevertheless a hard hit for the fintech industry, as most of the big mobile wallets like Apple Pay and Samsung Pay use
Despite these protections, mobile payment systems such as Samsung Pay, Apple Pay and
"Expectations for fraud prevention in the mobile form factor are a bit higher than they are for plastic, which is good, but this is really more a story about how the system works than it is about flaws," said Rick Oglesby, president of AZ Payments Research.
If fraudsters figure out ways to exploit the design to steal funds in a repeatable and scalable way, then the term “flaw” would make more sense, Oglesby said. "In this case, the fraud opportunity is dependent upon access to the legitimate consumer’s phone, which limits repeatability and scalability."
But in Oracle's case, the damage is already done. Krebs reports attackers compromised a customer service portal tied to MICROS, a division at Oracle that sells point of sale systems deployed at more than 330,000 locations globally, including 100,000 retail sites, 200,000 food and beverage locations and more than 30,000 hotels. The attackers, part of a Russian organized crime group, most likely targeted a "ticketing" portal that Oracle uses to help MICROS clients troubleshoot problems at point of sale systems.
A similar incident hit the
If the portal compromise allows remote access to MICROS clients' point of sale systems, it would be easy to install malware to retrieve payment information, said Thomas Pore, director of IT and services at Plixer, a Sanford, Maine-based network traffic facilitating company, in an email.
"While phishing has proven to be very effective, what if the attackers didn't need to phish all of their targets, but just the third party who has access to them?" Pore said.
Oracle provided a letter to clients that said the company detected and addressed malicious code in "certain legacy MICROS systems." The company has added additional security measures, and has required MICROS customers to change their passwords, according to the letter.
Like mobile payment vulnerabilities,
"One of the biggest challenges, particularly in the U.S. market, is fragmentation. There are so many players in the ecosystem it would be hard for all of them to on the same security level," Kneiff said. "It takes a lot of time for ISOs and payments processors to make updates to mission critical hardware and software."
