 All right, I want to give you a round of applause for Salvador Mendoza about Samsung Pay tokenized numbers flaws and issues Thank you. It's a pleasure to be in that country here And I'm going to talk about Samsung Pay tokenized numbers flaws and issues Also, we want to talk about cocoa dry old son laser beams today Basically have 20 minutes to explain almost one year of my research and we are going to start with agenda for today We're going to talk about terminology Analyzing tokenized numbers MST and NFC protocols token phases of status, of course flaws and issues They use a scenario. See I'm going to introduce two tools for today At the end I'm going to talk about international tokens for terminology. I'm going to use NFC for neural communication MST for magnetic security transmission protocol BTS for visa docking service, which mainly are the protocol for the tokenization process Tokenized numbers What is the process where the primary account pan number is replaced with surrogate value in this case is going to be a token and The talking is a bunch of things to change for goods or services DSP for token service provider was in charge for the tokenization process I'm pan for a primary account number So let's start analyzing tokenized numbers Basically when you're going to make a payment Samsung pay it's going to create three tracks. It's like when you swipe your card But this time all the tracks are the same values Why? Basically because it doesn't matter which track the terminal is going to detect if it detects anyone the transaction can go through If we analyze the last 20 digits of the token We need to analyze like they are different counters Basically the first four digits are for its new expression date for the new virtual credit card The last three digits as for new service code The service code is very important because for example, you have a pin and chip protection card and you add it to Samsung pay Samsung pay is going to replace this value So you don't have the necessity to have a physical card with you to make a payment The last counter is a transaction range which plays a deciduous role The next counter is a transaction ID which mainly increase plus one every time you use Samsung pay On the last three digits are random numbers to fill the American Banking Association format or track through this case offline and online mode Basically when you are on offline mode the counter in the middle of the token doesn't change But when Samsung pay connects to internet This counter increases every like three or four transactions One of the problems Samsung pay is that you can make payments in airplane mode This means that Samsung pay doesn't have a full control the tokens Let's talk a little bit about the token faces or status like any other transactions Samsung pay has different the tokens of Samsung pay has different status like for an active pending dispose and roll Spire after a period of time unsuspend it this how According to visa developer center How a tokenization process or provider updated tokens in it's a be provision talking ID I'm also an IP key in a Johnson format Please keep in mind this is live that we're going to use and then then it's a example So the file structure very important we I found more than 20 databases and the cost of Samsung pay Some of them are for connections for certificates encryption Directors and files I'm going to take a look at the structure of them of the on the bottom of the database CBP Jan encrypt database to see the structure of this database If we see the structure of this database we can found Some of the other fields that we need to update a token this means If a attacker could find a way To the to the crypt or to get this provision talking ideas He will be able to update a token all the time even for example. It's inspired all disposal Maybe you're thinking this Database are very encrypted But what I found was that encryption for databases using a static passwords Basically, we we see this method the encrypt method But it's not yet the database manager also another methods call this function to encrypt the data Continue with awesome issues When I was able to make a to make a backup of the Samsung pay databases In the car table, I found the token inspiration. They was in blank. It's specifically that feel Also, that be retries part time implement implement timestamp format Which? Expire over 24 hours So basically the main problem problem here is If Samsung pay generate talking but you don't use this talking to make a purchase that talking is still alive or active For example, if I ask you can you show me how Samsung pay works? And you show me but you're not making a transaction actually But that talking still life when you close this application and open again You are going to get a new talking But the last talking still life Continue with awesome issues Basically, you are suspicious that someone somebody captured your talking I delete your virtual credit card and you add again the last digits of the new virtual credit card They're going to change that yet in the last four digits. Basically. I make a lock I didn't I'm deleting the card so Let's go to the interesting part Then use the scenarios We're going to talk about reversing the encrypt and the key function Social engineering jamming MSD signals and guessing the net stocking We're not talking disabled to the creep to the reverse these functions he will able to get I Think may main almost all almost cast almost the the information for all the encryption function Because they use for many methods Let's talk about social method Basically, I may made a tool each and every zero little power boost critical reader basically around $50 and not to show you an example how it works. So Like the sample they told you you have this this tool on where my hand I can capture the tokens And I ask you how it sounds a bit worse And this tool sent these tokens by email So I can use a token using another tool like my max poof tool from Sammy camp car Thank you, Sammy. So basically when I got the token I compile I go to the Grocery machine, and I tried to use that token. So I select the product and it's out horizon I'm spending. Thank you Now let's talk about yampe yampe is a Yammer It runs three services one is for Yammer to jam the terminal another is for the email service And another is for you can see the tokens in the web browser Basically is running a Python web server It's in a temple. Let's imagine that you're in Vegas Right, so we're in Vegas So basically I found the machine and I use my Yammer So the main point here the Yammer is all sending magnetic MST signals my basic your transmission signals when a user cams to make a transaction The terminal is not anymore an input mode So the Yammer is going to detect the MST signal. I think going to send it to me by email. I Got the token So after that use a max poof again Sammy you're my hero. I Make authorization Transaction after that. I'm going to select the drink and I'm ending so I Was thinking about to to get a talking but basically I forgot my Ground reader sorry about that. So let's talk about international sounds and pay tokens. I Assume that the rate virtual credit card was going was going to use the same restrictions like a physical card Like for example when you when you're going to another country you basic call Your bank and tell me I'm going to be in let's say Mexico So the bank take care of it and you can use that card in that country What if I'm interesting was I sent one of my talking to Mexico? To see some on my friends can make a purchase and how kind of restrictions the bank is going to have So basically was July 8th. I sent one of my tokens to one of guy in Mexico And he's trying to charge me 20 Mexican Penses basically so the transaction went through He asked for signature That's not my signature, but So That's you went through and I got the confirmation from Samsung pay you had spent 20 Mexican pesos even when Samsung pay is not in Mexico yet So the takeaways for today Samsung pay have some levels of security, but it's a fact that could be target from Alicia tax Samsung hey Samsung pay has some limitations in the concession process which could affect customer security I'm finally talking generate by Samsung pay could be used and on our hardware Please see you have any questions. There's your time To ask me and to say thank you to all these guys really appreciate you