Samsung Pay: Tokenized Numbers, Flaws and Issues

Presented at DEF CON 24 (2016), Aug. 5, 2016, 4:30 p.m. (30 minutes)

Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security. Using random tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal a token from a Samsung Pay device and use it without restrictions. Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card. How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security. What are the odds to guess the next tokenized number knowing the previous one? Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk. Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.

Presenters:

• Sean Metcalf - Founder & Security Principal, Trimarc
  Sean Metcalf is founder and principal security consultant at Trimarc (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON , and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org. Twitter: @PyroTek3
• Salvador Mendoza
  Salvador Mendoza is a college student & researcher. @netxing Keybase.io: http://keybase.io/salvador

Links:

• https://defcon.org/html/defcon-24/dc-24-speakers.html#Mendoza
• https://infocon.org/cons/DEF CON/DEF CON 24/DEF CON 24 video and slides/DEF CON 24 - Salvador Mendoza - Samsung Pay - Tokenized Numbers - Flaws and Issues - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=BqjyewIEFSc

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Samsung Pay: Tokenized Numbers, Flaws and Issues
• Black Hat USA 2016 / Samsung Pay: Tokenized Numbers, Flaws and Issues
• TROOPERS17 (2017) / Samsung Pay: Tokenized Numbers, Flaws and Issues