Skip to main content
  1. Home
  2. Phones
  3. Android
  4. Mobile
  5. News

Samsung Pay flaw could allow hackers to intercept and decode credit card info

Add as a preferred source on Google

Mobile payments may be the future. Indeed, researchers at eMarketer predict contactless payments, or transactions completed with “tap-to-pay” tech like Android Pay or Apple Pay, could grow 210 percent this year to $27.05 billion — but that doesn’t mean they’re secure. Case in point: a recently discovered bug in Samsung Pay, Korean company’s eponymous proprietary payments platform, theoretically allows hackers to intercept and decode credit card info.

At the Black Hat Security conference in Las Vegas last week, security analyst Salvador Mendoza demonstrated a flaw in Samsung Pay’s tokenization process, the string of numbers and letters the platform randomly generates to obfuscate payment details, that could allow a hacker to “guess” at a purchaser’s credit card number. Tokens could be predicted, he explained: After a specific credit or debit card is added to Samsung Pay and associated with a specific token, future tokens inexplicably become “weaker” and easier to guess.

Recommended Videos

Central to the flaw’s execution is Samsung’s magnetic secure transmission technology, a feature on the company’s newest flagship Galaxy phones which lets users pay at legacy registers. At transaction time, a specialized chip within the phone emits a signal which mimics the magnetic strip on a credit card. The terminal processes a physical swipe as usual — an undoubted convenience at retailers contactless-compatible payments terminals. But it also provides a means to collect the initial, “seed” token from which the others can be deciphered, Mendoza said.

swipe-1-jpg
Image used with permission by copyright holder

Obtaining the token isn’t necessarily easy — it requires special hardware that’s capable of spoofing a magnetic payments terminal, first of all, and furthermore access a victim’s phone. But it’s far from impossible. Mendoza designed an open source prototype that’s small enough to transport — during the Black Hat demonstration, he strapped it to his arm — and perhaps more worryingly, easily concealed within off-the-shelf terminal hardware. The skimming process can be automated, even — Mendoza’s mock-up forwarded intercepted tokens to an e-mail inbox.

Once the initial payment token is intercepted, a user’s future tokens can be easily guessed, Mendoza said. He sent a generated token to a friend in Mexico who was able to purchase an item from a vending machine with magnetic spoofing hardware — despite the fact that Samsung Pay isn’t even available in Mexico.

Nothing precludes “every credit card, debit card, or prepaid card from any affiliated bank” from susceptibility, Mendoza said — since Samsung Pay pay generates tokens indiscriminately, one is no less predictable than another. But he offered some consolation: gift cards are safe. That’s because Samsung Pay generates a bar code for gift cards rather than a transmittable token.

swipe-2
Image used with permission by copyright holder

Last week, Samsung issued a statement which characterized Mendoza’s research as “inaccurate” and misleading. “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,” a spokesperson said. “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”

The company offered a more detailed rebuttal on Monday:

We are aware of a recent and inaccurate report regarding the security of Samsung Pay. We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today.

Each Samsung Pay transaction uses a digital token to replace a card number. The encrypted token combined with certificate information goes through multiple security layers and can be used only once to make a payment. Samsung Pay is designed so that merchants and retailers cannot see or store the actual card data, and our customers are notified with each transaction. Multiple layers of security from Samsung Pay and our partners are in place to detect threats to security.

Security is our number one priority at Samsung — and always will be. We are committed to securing and protecting user data.

Samsung Pay is off to an amazing start and we are proud to offer the only mobile payment option that works almost anywhere you can swipe or tap a card today.

We’ve reached out to the company for clarification.

Security experts have warned that mobile payments security, broadly speaking, isn’t as ironclad as advertised. A survey of over 900 cybersecurity professionals conducted as part of ISACA’s 2015 Mobile Payment Security Study found that nearly half, or 47 percent, believe that mobile payments carried significant risks, and that most didn’t have faith in current mechanisms to prevent hacks — more than 87 percent said they expected a “surge” in mobile payments data breaches in the next year.

Kyle Wiggers
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Android desktop mode made me miss my laptop in record time
I tried writing and publishing from Google’s phone-to-monitor setup, and the future of mobile computing immediately started sweating.
Computer, Electronics, Laptop

Android 17 desktop mode has a very simple pitch. Plug your phone into a monitor, add a keyboard and mouse, and watch the slab in your pocket pretend to be a computer. I wanted to give that pitch a fair shot, so I tried using it for an actual workday instead of a cute demo.

The goal was boring on purpose: write an article, edit it, build the page in WordPress, upload whatever needed uploading, and publish the thing without running back to my laptop like a coward.

Read more
After test-driving iOS 27, my iPhone still doesn’t feel like it has made a substantial leap
Siri learned new tricks. Safari got smarter tabs. My morning routine didn't change at all.
iOS 27 new star rating feature in Photos

Every June, after Apple wraps up its annual WWDC keynote, I install the latest iOS beta on my iPhone, watch the progress bar crawl to completion, and wait for the inevitable restart. For years, picking up my phone afterward felt almost identical to how it did before the update. 

I saw the same grid of icons, the same Control Center, and the same version of Siri until iOS 26 finally broke that pattern in 2025.

Read more
Android 17 makes a strong case for ignoring Android version numbers entirely
When the most noticeable change is a better Quick Settings button, the annual update cycle starts looking more like branding than progress.
Android 17 logo.

Android 17 finally separated the Wi-Fi and mobile data buttons, and I hate how much that improved my mood. For years, Android treated internet access like one mysterious blob, as if Wi-Fi and cellular data were emotionally codependent. In Android 17 Beta 3, Google split the old combined Internet button into separate Wi-Fi and mobile data tiles, making each connection easier to switch off with a single tap.

That’s a good change, which is also why it’s a little damning. When one of the cleanest wins in a major OS update is “the buttons make sense again,” the celebration gets awkward fast.

Read more