Payment technologies are in an unwelcome spotlight this month, as security researchers expose their weaknesses just as the products are winning a long-desired trust among mainstream consumers.
Samsung, Oracle and the EMV standard are getting hit differently—techies at the Black Hat conference have demoed a hole in Samsung Pay's security that allows the system to be illegally used on other phones; NCR researchers found a way to wipe out the benefits of EMV security; and according to security reporter Brian Krebs, Oracle's technology has suffered a breach that can impact point of sale systems downstream.
Even if these attacks are more theoretical than practical, the end result is an erosion of trust in the very technologies that are supposed to make the point of sale much safer for consumer card data.
"It is a big ridiculous that we keep having the same conversation around the need for strong authentication, especially in environments that protect payment data," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
A presentation at a recent Black Hat event in Las Vegas demonstrated the sequencing of Samsung Pay's protective tokens are predictable and progressively weaker. That allows tokens to be stolen and used in other hardware in an updated version of a skimming attack. In the Black Hat presentation, a researcher sent a token from the U.S. to acquaintances in Mexico — where Samsung Pay isn't supported — who found the token be usable through Samsung's Magnetic Secure Transmission method, which creates a wireless signal that simulates the use of a magstripe card.
Samsung did not return a request for comment by deadline. The news comes amid reports that mobile payments may be poised growth after years of lackluster performance, making it a poor time for bad publicity. Discover's Pulse, for example, reports half of issuers say a quarter of debit transactions will be conducted via mobile devices within five years.
"It is more embarrassing than anything else for the folks over at Samsung Pay," Pascual said. "But I would be surprised if a fix didn't follow in short order. Better that a researcher finds it as opposed to a hardcore fraudster."
It's nevertheless a hard hit for the fintech industry, as most of the big mobile wallets like Apple Pay and Samsung Pay use tokens to shield mobile payment data, providing a substitute numeric ID that's not supposed to be usable on other phones or even for other transactions on the same phone. Both Apple Pay and Samsung Pay bolster tokens with fingerprint biometrics such as Apple's Touch ID.
Despite these protections, mobile payment systems such as Samsung Pay, Apple Pay and Venmo have endured scrutiny about safety since each launched. Meanwhile, merchants have questioned the security benefits of EMV — particularly since the U.S. does not require the use of a PIN with all EMV cards — since long before the migration deadline.
"Expectations for fraud prevention in the mobile form factor are a bit higher than they are for plastic, which is good, but this is really more a story about how the system works than it is about flaws," said Rick Oglesby, president of AZ Payments Research.
If fraudsters figure out ways to exploit the design to steal funds in a repeatable and scalable way, then the term “flaw” would make more sense, Oglesby said. "In this case, the fraud opportunity is dependent upon access to the legitimate consumer’s phone, which limits repeatability and scalability."
But in Oracle's case, the damage is already done. Krebs reports attackers compromised a customer service portal tied to MICROS, a division at Oracle that sells point of sale systems deployed at more than 330,000 locations globally, including 100,000 retail sites, 200,000 food and beverage locations and more than 30,000 hotels. The attackers, part of a Russian organized crime group, most likely targeted a "ticketing" portal that Oracle uses to help MICROS clients troubleshoot problems at point of sale systems.
A similar incident hit the FIS Wildcard in 2011, exposing vulnerabilities in the ATM technology, according to Ben Kneiff, a senior analyst at Aite Group.
If the portal compromise allows remote access to MICROS clients' point of sale systems, it would be easy to install malware to retrieve payment information, said Thomas Pore, director of IT and services at Plixer, a Sanford, Maine-based network traffic facilitating company, in an email.
"While phishing has proven to be very effective, what if the attackers didn't need to phish all of their targets, but just the third party who has access to them?" Pore said.
Oracle provided a letter to clients that said the company detected and addressed malicious code in "certain legacy MICROS systems." The company has added additional security measures, and has required MICROS customers to change their passwords, according to the letter.
"One of the biggest challenges, particularly in the U.S. market, is fragmentation. There are so many players in the ecosystem it would be hard for all of them to on the same security level," Kneiff said. "It takes a lot of time for ISOs and payments processors to make updates to mission critical hardware and software."