SlideShare a Scribd company logo

Samsung pay: tokenized numbers flaws and issues

Priyanka Aash
Priyanka Aash

Salvador Mendoza presented on Samsung Pay and tokenized card numbers. He discussed terminology related to NFC, MST, tokens and tokenization. He analyzed the format of tokenized numbers and how they emulate physical cards. Mendoza described flaws in Samsung Pay's token generation and storage processes that could enable attacks like jamming MST signals, reversing encryption, or guessing future tokens. He demonstrated a tool that can jam MST signals and discussed potential social engineering attacks.

Technology
1 of 24
Download to read offline
Samsung Pay: Tokenized Numbers, Flaws and Issues Salvador Mendoza Twitter: @Netxing Salvador_m_g@msn.com
About Me Salvador Mendoza ● Researcher o Android apps and tokenization mechanisms. ● College student o A. S. Computer Science Degree o Computer Network Administration Certificate o Computer Programming Specialist Certificate
Agenda ● Terminology ● Tokenized numbers ● Numbers and analyzing a token ● MST and NFC protocols ● Fragile tokenized process and storage ● Possible attacks ● JamPay tool
Terminology ● NFC: Near Field Communication ● MST: Magnetic Secure Transmission ● VST: Visa Token Service ● Tokenized numbers: A process where the primary account number (PAN) is replaced with a surrogate value = Token. ● Token: An authorized voucher to interchange for goods or service. ● TSP: Token Service Provider ● PAN: Primary Account Number
Analyzing Tokenized Numbers (Token) %4012300001234567^21041010647020079616?; 4012300001234567^21041010647020079616? ~4012300001234567^21041010647020079616? % = Start sentinel for first track ^ = Separator ? = End sentinel for every track ; = Start sentinel for second track ~ = Start sentinel for third track A tokenized number follows exactly the same format of IATA/ABA; emulating perfectly a swiping physical card.
Analyzing a Track Second track ;4012300001234567^21041010647020079616? 401230-000-1234567 401230 000 01234567 New CC number Private BIN # Never change, from original CC Still researching The first 16 digits are the new assigned CC number: 4012300001234567
Analyzing a Track Second track = ;4012300001234567^21041010647020079616? 2104-101- 0647020079616 21/04 101 064702-0079-616 Token’s heart. New expiration date. Service code: 1: Available for international interchange. 0: Transactions are authorized following the normal rules. 1: No restrictions. 064702: It handles transaction’s range/CVV role. 0079: Transaction’s id, increase +1 in each transaction. 616: Random numbers, to fill IATA/ABA format, generated from a cryptogram/array method. The last 20 digits are the token’s heart: 21041010647020079616
NFC/MST offline/online mode Without internet; did not change the middle counter %4012300001234567^2104101082000(constant)0216242? %4012300001234567^21041010820000217826? %4012300001234567^21041010820000218380? […] With internet, the middle counter increased +1: %4012300001234567^21041010820000233969? % 4012300001234567^21041010820000234196? %4012300001234567^21041010820010235585? ← +1
Token Phases ●Active: Normal status after generated. ●Pending: Waiting for TSP’s response. ●Disposed: Destroyed token. ●Enrolled: Registered token. ●Expired: Became invalid after period of time. ●Suspended_provision: Valid PAN, requesting more info. ●Suspended: VST will decline the transaction with a suspended token.
Updating Token Status //SAMPLE REQUEST URL https://sandbox.api.visa.com/vts/provisionedTokens/{vProvisionedTokenID} /suspend?apikey={apikey} // Header content-type: application/jsonx-pay-token: {generated from request data} // Body { "updateReason": { "reasonCode": "CUSTOMER_CONFIRMED", "reasonDesc": "Customer called" } } // SAMPLE RESPONSE // Body {} Source: Visa Developer Center
Files Structure Databases > 20 Directories/files vasdata.db, suggestions.db, mc_enc.db /system/csc/sales_code.dat, SPayLogs/ spay.db, spayEuFw.db, PlccCardData_enc.db B1.dat, B2.dat, pf.log, /dev/mst_ctrl membership.db, image_disk_cache.db, loyaltyData. db /efs/prov_data/plcc_pay/plcc_pay_enc.dat transit.db, GiftCardData.db, personalcard.db /efs/prov_data/plcc_pay/plcc_pay_sign.dat CERT.db, MyAddressInfoDB.db, serverCertData.db /sdcard/dstk/conf/rootcaoper.der gtm_urls.db, statistics.db, mc_enc.db /efs/pfw_data, /efs/prov_data/pfw_data spayfw_enc.db, collector_enc.db, cbp_jan_enc.db /sys/class/mstldo/mst_drv/transmit… many more
cbp_jan_enc.db CREATE TABLE tbl_enhanced_token_info (_id INTEGER PRIMARY KEY AUTOINCREMENT, vPanEnrollmentID TEXT, vProvisionedTokenID TEXT, token_requester_id TEXT, encryption_metadata TEXT, tokenStatus TEXT, payment_instrument_last4 TEXT, payment_instrument_expiration_month TEXT, payment_instrument_expiration_year TEXT, token_expirationDate_month TEXT, token_expirationDate_year TEXT, appPrgrmID TEXT, static_params ... https://sandbox.api.visa.com/vts/provisionedTokens/ {vProvisionedTokenID}/suspend?apikey={apikey}
Flaws and Issues ● paramString = LFWrapper.encrypt("OverseaMstSeq", paramString); ● bool1 = b.edit().putString(paramString, LFWrapper.encrypt ("PropertyUtil", null)).commit(); ● String str = LFWrapper.encrypt("tui_lfw_seed", Integer.toString (paramInt));
Flaws and Issues ● Token expiration date is in blank. ● ivdRetryExpiryTime implements timestamp format. ● If Samsung Pay generated a token, but it is not used to make a purchase, that token still active/alive.
Attacks Different scenarios: ● Social engineering (Video) ● Jamming MST signal (video/tool) ● Reversing the encrypt/decrypt function ● Guessing the next token
Social Engineering https://www.youtube.com/watch?v=QMR2JiH_ymU
JamPay https://www.youtube.com/watch?v=CujkEaemdyE
Encrypt/Decrypt Functions
Guessing a Token?
Samsung Pay in Mexico? https://www.youtube.com/watch?v=EphR18sSjgA We did it first: Thanks @Sabasacustivo
Greetz, Hugs & Stuff Samy Kamkar (@samykamkar) Pedro Joaquin (@_hkm) Andres Sabas (@Sabasacustico) Luis Colunga (@sinnet3000) RMHT (raza-mexicana.org) The Extra’s mom
Questions? Thank you! Salvador Mendoza Twitter: @Netxing Salvador_m_g@msn.com
Black Hat Sound Bytes ● Samsung Pay has some levels of security, but it is a fact that could be a target for malicious attacks. ● Samsung Pay has some limitations in the tokenization process which could affect customers’ security. ● Finally, tokens generated by Samsung Pay could be used in another hardware. Salvador Mendoza (@Netxing)

Recommended

1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS securityPriyanka Aash
 
v 1.0
v 1.0v 1.0
v 1.0Vinod Amarathunga
 
Information for tpp regarding jordan ahli bank psd2 api
Information for tpp regarding jordan ahli bank psd2 apiInformation for tpp regarding jordan ahli bank psd2 api
Information for tpp regarding jordan ahli bank psd2 apiahli bank
 
Derived Unique Token per Transaction
Derived Unique Token per TransactionDerived Unique Token per Transaction
Derived Unique Token per TransactionPriyanka Aash
 
Metadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionMetadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionCoin Sciences Ltd
 

Recommended

1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS securityPriyanka Aash
 
v 1.0
v 1.0v 1.0
v 1.0Vinod Amarathunga
 
Information for tpp regarding jordan ahli bank psd2 api
Information for tpp regarding jordan ahli bank psd2 apiInformation for tpp regarding jordan ahli bank psd2 api
Information for tpp regarding jordan ahli bank psd2 apiahli bank
 
Derived Unique Token per Transaction
Derived Unique Token per TransactionDerived Unique Token per Transaction
Derived Unique Token per TransactionPriyanka Aash
 
Metadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionMetadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionCoin Sciences Ltd
 
PgConf_2016_EU.pptx
PgConf_2016_EU.pptxPgConf_2016_EU.pptx
PgConf_2016_EU.pptxNikitaShaburov
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseDESMOND YUEN
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' securitySecuRing
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityJ.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010J.D. Wade
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...IRJET Journal
 
TripThru_API_Doc_v1
TripThru_API_Doc_v1TripThru_API_Doc_v1
TripThru_API_Doc_v1Edward Hamilton
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
CARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALCARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALMilos Dunjic
 
java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guideZenita Smythe
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfSplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfTuynNguyn819213
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoJ.D. Wade
 
WSO2 Complex Event Processor
WSO2 Complex Event ProcessorWSO2 Complex Event Processor
WSO2 Complex Event ProcessorSriskandarajah Suhothayan
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future KingKapil Sachdeva
 
Vilas Patil
Vilas PatilVilas Patil
Vilas PatilVilas Patil
 
Offensive Payment Security
Offensive Payment SecurityOffensive Payment Security
Offensive Payment SecurityPayment Village
 
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...MongoDB
 
Blockchain technology for the grid
Blockchain technology for the gridBlockchain technology for the grid
Blockchain technology for the gridmalikmayank
 
Patent Blockchain People Bank of China (PBOC)
Patent Blockchain People Bank of China (PBOC)Patent Blockchain People Bank of China (PBOC)
Patent Blockchain People Bank of China (PBOC)Rein Mahatma
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testingAtul Pant
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to Samsung pay: tokenized numbers flaws and issues

Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseDESMOND YUEN
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' securitySecuRing
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityJ.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010J.D. Wade
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...IRJET Journal
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
CARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALCARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALMilos Dunjic
 
java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guideZenita Smythe
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfSplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfTuynNguyn819213
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoJ.D. Wade
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future KingKapil Sachdeva
 
Offensive Payment Security
Offensive Payment SecurityOffensive Payment Security
Offensive Payment SecurityPayment Village
 
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...MongoDB
 
Blockchain technology for the grid
Blockchain technology for the gridBlockchain technology for the grid
Blockchain technology for the gridmalikmayank
 
Patent Blockchain People Bank of China (PBOC)
Patent Blockchain People Bank of China (PBOC)Patent Blockchain People Bank of China (PBOC)
Patent Blockchain People Bank of China (PBOC)Rein Mahatma
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testingAtul Pant
 

Similar to Samsung pay: tokenized numbers flaws and issues (20)

PgConf_2016_EU.pptx
PgConf_2016_EU.pptxPgConf_2016_EU.pptx
PgConf_2016_EU.pptx
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' security
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...
 
TripThru_API_Doc_v1
TripThru_API_Doc_v1TripThru_API_Doc_v1
TripThru_API_Doc_v1
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
CARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALCARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINAL
 
java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guide
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfSplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
 
WSO2 Complex Event Processor
WSO2 Complex Event ProcessorWSO2 Complex Event Processor
WSO2 Complex Event Processor
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future King
 
Vilas Patil
Vilas PatilVilas Patil
Vilas Patil
 
Offensive Payment Security
Offensive Payment SecurityOffensive Payment Security
Offensive Payment Security
 
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
MongoDB World 2018: Decentralized Identity Management with Blockchain and Mon...
 
Blockchain technology for the grid
Blockchain technology for the gridBlockchain technology for the grid
Blockchain technology for the grid
 
Patent Blockchain People Bank of China (PBOC)
Patent Blockchain People Bank of China (PBOC)Patent Blockchain People Bank of China (PBOC)
Patent Blockchain People Bank of China (PBOC)
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Samsung pay: tokenized numbers flaws and issues

  • 1.
  • 2. Samsung Pay: Tokenized Numbers, Flaws and Issues Salvador Mendoza Twitter: @Netxing Salvador_m_g@msn.com
  • 3. About Me Salvador Mendoza ● Researcher o Android apps and tokenization mechanisms. ● College student o A. S. Computer Science Degree o Computer Network Administration Certificate o Computer Programming Specialist Certificate
  • 4. Agenda ● Terminology ● Tokenized numbers ● Numbers and analyzing a token ● MST and NFC protocols ● Fragile tokenized process and storage ● Possible attacks ● JamPay tool
  • 5. Terminology ● NFC: Near Field Communication ● MST: Magnetic Secure Transmission ● VST: Visa Token Service ● Tokenized numbers: A process where the primary account number (PAN) is replaced with a surrogate value = Token. ● Token: An authorized voucher to interchange for goods or service. ● TSP: Token Service Provider ● PAN: Primary Account Number
  • 6. Analyzing Tokenized Numbers (Token) %4012300001234567^21041010647020079616?; 4012300001234567^21041010647020079616? ~4012300001234567^21041010647020079616? % = Start sentinel for first track ^ = Separator ? = End sentinel for every track ; = Start sentinel for second track ~ = Start sentinel for third track A tokenized number follows exactly the same format of IATA/ABA; emulating perfectly a swiping physical card.
  • 7. Analyzing a Track Second track ;4012300001234567^21041010647020079616? 401230-000-1234567 401230 000 01234567 New CC number Private BIN # Never change, from original CC Still researching The first 16 digits are the new assigned CC number: 4012300001234567
  • 8. Analyzing a Track Second track = ;4012300001234567^21041010647020079616? 2104-101- 0647020079616 21/04 101 064702-0079-616 Token’s heart. New expiration date. Service code: 1: Available for international interchange. 0: Transactions are authorized following the normal rules. 1: No restrictions. 064702: It handles transaction’s range/CVV role. 0079: Transaction’s id, increase +1 in each transaction. 616: Random numbers, to fill IATA/ABA format, generated from a cryptogram/array method. The last 20 digits are the token’s heart: 21041010647020079616
  • 9. NFC/MST offline/online mode Without internet; did not change the middle counter %4012300001234567^2104101082000(constant)0216242? %4012300001234567^21041010820000217826? %4012300001234567^21041010820000218380? […] With internet, the middle counter increased +1: %4012300001234567^21041010820000233969? % 4012300001234567^21041010820000234196? %4012300001234567^21041010820010235585? ← +1
  • 10. Token Phases ●Active: Normal status after generated. ●Pending: Waiting for TSP’s response. ●Disposed: Destroyed token. ●Enrolled: Registered token. ●Expired: Became invalid after period of time. ●Suspended_provision: Valid PAN, requesting more info. ●Suspended: VST will decline the transaction with a suspended token.
  • 11. Updating Token Status //SAMPLE REQUEST URL https://sandbox.api.visa.com/vts/provisionedTokens/{vProvisionedTokenID} /suspend?apikey={apikey} // Header content-type: application/jsonx-pay-token: {generated from request data} // Body { "updateReason": { "reasonCode": "CUSTOMER_CONFIRMED", "reasonDesc": "Customer called" } } // SAMPLE RESPONSE // Body {} Source: Visa Developer Center
  • 12. Files Structure Databases > 20 Directories/files vasdata.db, suggestions.db, mc_enc.db /system/csc/sales_code.dat, SPayLogs/ spay.db, spayEuFw.db, PlccCardData_enc.db B1.dat, B2.dat, pf.log, /dev/mst_ctrl membership.db, image_disk_cache.db, loyaltyData. db /efs/prov_data/plcc_pay/plcc_pay_enc.dat transit.db, GiftCardData.db, personalcard.db /efs/prov_data/plcc_pay/plcc_pay_sign.dat CERT.db, MyAddressInfoDB.db, serverCertData.db /sdcard/dstk/conf/rootcaoper.der gtm_urls.db, statistics.db, mc_enc.db /efs/pfw_data, /efs/prov_data/pfw_data spayfw_enc.db, collector_enc.db, cbp_jan_enc.db /sys/class/mstldo/mst_drv/transmit… many more
  • 13. cbp_jan_enc.db CREATE TABLE tbl_enhanced_token_info (_id INTEGER PRIMARY KEY AUTOINCREMENT, vPanEnrollmentID TEXT, vProvisionedTokenID TEXT, token_requester_id TEXT, encryption_metadata TEXT, tokenStatus TEXT, payment_instrument_last4 TEXT, payment_instrument_expiration_month TEXT, payment_instrument_expiration_year TEXT, token_expirationDate_month TEXT, token_expirationDate_year TEXT, appPrgrmID TEXT, static_params ... https://sandbox.api.visa.com/vts/provisionedTokens/ {vProvisionedTokenID}/suspend?apikey={apikey}
  • 14. Flaws and Issues ● paramString = LFWrapper.encrypt("OverseaMstSeq", paramString); ● bool1 = b.edit().putString(paramString, LFWrapper.encrypt ("PropertyUtil", null)).commit(); ● String str = LFWrapper.encrypt("tui_lfw_seed", Integer.toString (paramInt));
  • 15. Flaws and Issues ● Token expiration date is in blank. ● ivdRetryExpiryTime implements timestamp format. ● If Samsung Pay generated a token, but it is not used to make a purchase, that token still active/alive.
  • 16. Attacks Different scenarios: ● Social engineering (Video) ● Jamming MST signal (video/tool) ● Reversing the encrypt/decrypt function ● Guessing the next token
  • 21. Samsung Pay in Mexico? https://www.youtube.com/watch?v=EphR18sSjgA We did it first: Thanks @Sabasacustivo
  • 22. Greetz, Hugs & Stuff Samy Kamkar (@samykamkar) Pedro Joaquin (@_hkm) Andres Sabas (@Sabasacustico) Luis Colunga (@sinnet3000) RMHT (raza-mexicana.org) The Extra’s mom
  • 23. Questions? Thank you! Salvador Mendoza Twitter: @Netxing Salvador_m_g@msn.com
  • 24. Black Hat Sound Bytes ● Samsung Pay has some levels of security, but it is a fact that could be a target for malicious attacks. ● Samsung Pay has some limitations in the tokenization process which could affect customers’ security. ● Finally, tokens generated by Samsung Pay could be used in another hardware. Salvador Mendoza (@Netxing)