Mobile payment is gaining huge popularity because of the convenience and security it provides. However, according to our latest findings, popular mobile payment schemes - to provide smooth user experience to users even with poor network connectivity - expose a lot of vulnerabilities in which adversaries can readily acquire the payment token during a valid mobile payment transaction. With this payment token, the attacker can purchase anything under the limit on behalf of the user without the victim noticing.
We successfully launched attacks against mainstream mobile payment service providers including Alipay and Samsung Pay. The results show that they are all vulnerable. More severely, for Alipay, different payment methods are found vulnerable, including QR code and sound pay.
All of these attacks are due to the weak protection to the payment token, the key element for the payment security. Payment tokens are designed to be ephemeral and hard to sniff. However, experimental results show that the token can be intercepted without the payment server noticing. In addition, the stolen token can be kept alive for a considerable period of time, during which the attackers can spend it.
We believe the current payment framework should be updated to defend against these attacks. As a preliminary idea, we suggest that every token should be bound to a specific transaction, even without the help of networks.