Skip to main content

Samsung Pay flaw could allow hackers to intercept and decode credit card info

samsung pay update masterpass galaxy s7 edge
Jeffrey Van Camp/Digital Trends
Mobile payments may be the future. Indeed, researchers at eMarketer predict contactless payments, or transactions completed with “tap-to-pay” tech like Android Pay or Apple Pay, could grow 210 percent this year to $27.05 billion — but that doesn’t mean they’re secure. Case in point: a recently discovered bug in Samsung Pay, Korean company’s eponymous proprietary payments platform, theoretically allows hackers to intercept and decode credit card info.

At the Black Hat Security conference in Las Vegas last week, security analyst Salvador Mendoza demonstrated a flaw in Samsung Pay’s tokenization process, the string of numbers and letters the platform randomly generates to obfuscate payment details, that could allow a hacker to “guess” at a purchaser’s credit card number. Tokens could be predicted, he explained: After a specific credit or debit card is added to Samsung Pay and associated with a specific token, future tokens inexplicably become “weaker” and easier to guess.

Recommended Videos

Central to the flaw’s execution is Samsung’s magnetic secure transmission technology, a feature on the company’s newest flagship Galaxy phones which lets users pay at legacy registers. At transaction time, a specialized chip within the phone emits a signal which mimics the magnetic strip on a credit card. The terminal processes a physical swipe as usual — an undoubted convenience at retailers contactless-compatible payments terminals. But it also provides a means to collect the initial, “seed” token from which the others can be deciphered, Mendoza said.

swipe-1-jpg
Image used with permission by copyright holder

Obtaining the token isn’t necessarily easy — it requires special hardware that’s capable of spoofing a magnetic payments terminal, first of all, and furthermore access a victim’s phone. But it’s far from impossible. Mendoza designed an open source prototype that’s small enough to transport — during the Black Hat demonstration, he strapped it to his arm — and perhaps more worryingly, easily concealed within off-the-shelf terminal hardware. The skimming process can be automated, even — Mendoza’s mock-up forwarded intercepted tokens to an e-mail inbox.

Please enable Javascript to view this content

Once the initial payment token is intercepted, a user’s future tokens can be easily guessed, Mendoza said. He sent a generated token to a friend in Mexico who was able to purchase an item from a vending machine with magnetic spoofing hardware — despite the fact that Samsung Pay isn’t even available in Mexico.

Nothing precludes “every credit card, debit card, or prepaid card from any affiliated bank” from susceptibility, Mendoza said — since Samsung Pay pay generates tokens indiscriminately, one is no less predictable than another. But he offered some consolation: gift cards are safe. That’s because Samsung Pay generates a bar code for gift cards rather than a transmittable token.

swipe-2
Image used with permission by copyright holder

Last week, Samsung issued a statement which characterized Mendoza’s research as “inaccurate” and misleading. “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,” a spokesperson said. “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”

The company offered a more detailed rebuttal on Monday:

We are aware of a recent and inaccurate report regarding the security of Samsung Pay. We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today.

Each Samsung Pay transaction uses a digital token to replace a card number. The encrypted token combined with certificate information goes through multiple security layers and can be used only once to make a payment. Samsung Pay is designed so that merchants and retailers cannot see or store the actual card data, and our customers are notified with each transaction. Multiple layers of security from Samsung Pay and our partners are in place to detect threats to security.

Security is our number one priority at Samsung — and always will be. We are committed to securing and protecting user data.

Samsung Pay is off to an amazing start and we are proud to offer the only mobile payment option that works almost anywhere you can swipe or tap a card today.

We’ve reached out to the company for clarification.

Security experts have warned that mobile payments security, broadly speaking, isn’t as ironclad as advertised. A survey of over 900 cybersecurity professionals conducted as part of ISACA’s 2015 Mobile Payment Security Study found that nearly half, or 47 percent, believe that mobile payments carried significant risks, and that most didn’t have faith in current mechanisms to prevent hacks — more than 87 percent said they expected a “surge” in mobile payments data breaches in the next year.

Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
These accessories truly leveled up my OnePlus 13 experience
OnePlus 13 Aramid fiber and magnetic case lying on a blue couch.

The OnePlus 13 is a very exciting phone. Even though we're just a few weeks into 2025, this feels like one of the most compelling candy bar-style phones to launch this year. It marks massive leaps for OnePlus' flagship lineup, especially with improved resistance against water and dust with its IP68 and IP69 ratings.

What truly makes OnePlus 13 fanciful to me is its freshly added support for the "Mag" line of accessories. These magnetic accessories are designed to make your time with the OnePlus 13 much more convenient and elevate its status further into the ranks of flagships. Here's how these accesories and features have made the OnePlus 13 more endearing to me.
The new OnePlus accessories

Read more
It’s official — TikTok can be banned in the U.S.
a person using Tiktok on their phone

The U.S. Supreme Court ruled against TikTok on Friday, effectively banning the social network in the country starting Sunday, January 19. The New York Times reported that this decision was unanimous, 9-0.

The decision means that U.S. operations for the popular app must shut down this weekend to comply with a 2024 law that President Biden signed that forced the Chinese-based network from operating in the States.

Read more
This Android 16 feature will change how you multitask forever
Three apps running side by side using multitasking features on a OnePlus Open held in hand.

Google is not expected to release Android 16 to the public for a few months, but there has already been significant buzz around the update. The most recent news about the update comes from Android Authority, and it’s particularly exciting for tablet users.

The report indicates that Android 16 will significantly enhance the split-screen mode. Inspired by OnePlus’ Open Canvas feature for the OnePlus Open—and later adapted for the OnePlus Pad 2—this update will enable users to run up to three apps simultaneously. Two apps will occupy 90% of the display in this setup, while the third will take up the remaining 10%.

Read more