Samsung Pay flaw could allow hackers to intercept and decode credit card info

samsung pay update masterpass galaxy s7 edge
Jeffrey Van Camp/Digital Trends
Mobile payments may be the future. Indeed, researchers at eMarketer predict contactless payments, or transactions completed with “tap-to-pay” tech like Android Pay or Apple Pay, could grow 210 percent this year to $27.05 billion — but that doesn’t mean they’re secure. Case in point: a recently discovered bug in Samsung Pay, Korean company’s eponymous proprietary payments platform, theoretically allows hackers to intercept and decode credit card info.

At the Black Hat Security conference in Las Vegas last week, security analyst Salvador Mendoza demonstrated a flaw in Samsung Pay’s tokenization process, the string of numbers and letters the platform randomly generates to obfuscate payment details, that could allow a hacker to “guess” at a purchaser’s credit card number. Tokens could be predicted, he explained: After a specific credit or debit card is added to Samsung Pay and associated with a specific token, future tokens inexplicably become “weaker” and easier to guess.

Central to the flaw’s execution is Samsung’s magnetic secure transmission technology, a feature on the company’s newest flagship Galaxy phones which lets users pay at legacy registers. At transaction time, a specialized chip within the phone emits a signal which mimics the magnetic strip on a credit card. The terminal processes a physical swipe as usual — an undoubted convenience at retailers contactless-compatible payments terminals. But it also provides a means to collect the initial, “seed” token from which the others can be deciphered, Mendoza said.


Obtaining the token isn’t necessarily easy — it requires special hardware that’s capable of spoofing a magnetic payments terminal, first of all, and furthermore access a victim’s phone. But it’s far from impossible. Mendoza designed an open source prototype that’s small enough to transport — during the Black Hat demonstration, he strapped it to his arm — and perhaps more worryingly, easily concealed within off-the-shelf terminal hardware. The skimming process can be automated, even — Mendoza’s mock-up forwarded intercepted tokens to an e-mail inbox.

Once the initial payment token is intercepted, a user’s future tokens can be easily guessed, Mendoza said. He sent a generated token to a friend in Mexico who was able to purchase an item from a vending machine with magnetic spoofing hardware — despite the fact that Samsung Pay isn’t even available in Mexico.

Nothing precludes “every credit card, debit card, or prepaid card from any affiliated bank” from susceptibility, Mendoza said — since Samsung Pay pay generates tokens indiscriminately, one is no less predictable than another. But he offered some consolation: gift cards are safe. That’s because Samsung Pay generates a bar code for gift cards rather than a transmittable token.


Last week, Samsung issued a statement which characterized Mendoza’s research as “inaccurate” and misleading. “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,” a spokesperson said. “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”

The company offered a more detailed rebuttal on Monday:

We are aware of a recent and inaccurate report regarding the security of Samsung Pay. We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today.

Each Samsung Pay transaction uses a digital token to replace a card number. The encrypted token combined with certificate information goes through multiple security layers and can be used only once to make a payment. Samsung Pay is designed so that merchants and retailers cannot see or store the actual card data, and our customers are notified with each transaction. Multiple layers of security from Samsung Pay and our partners are in place to detect threats to security.

Security is our number one priority at Samsung — and always will be. We are committed to securing and protecting user data.

Samsung Pay is off to an amazing start and we are proud to offer the only mobile payment option that works almost anywhere you can swipe or tap a card today.

We’ve reached out to the company for clarification.

Security experts have warned that mobile payments security, broadly speaking, isn’t as ironclad as advertised. A survey of over 900 cybersecurity professionals conducted as part of ISACA’s 2015 Mobile Payment Security Study found that nearly half, or 47 percent, believe that mobile payments carried significant risks, and that most didn’t have faith in current mechanisms to prevent hacks — more than 87 percent said they expected a “surge” in mobile payments data breaches in the next year.


The Galaxy A8s is Samsung's first with a hole-punch camera cutout

Samsung is building exciting, technologically innovative midrange phones, and the latest to be revealed is the new Samsung Galaxy A8s, which may give us an idea of what the new Samsung Galaxy S10 will look like.

The Galaxy S10 may be announced before MWC, sell for up to $1,750

While we still may be months away from an announcement, there's no doubt about it: Samsung is working hard on its successor to the Galaxy S9. Here's everything we know about the upcoming Samsung Galaxy S10.

Best deals on home security cameras to save you from package thieves

Home security camera systems can help keep your home and your family safe. Amazon's deals on Blink security cameras and Ring Video Doorbells also help you save money on devices you can access regardless of your current location.

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.

New Apple Watch begins saving lives one week after getting EKG feature

The Apple Watch Series 4 was updated almost a week ago with a new feature that allows users to take electrocardiogram tests -- and already it seems like the new feature is saving lives.

The best smartphone stocking stuffers for a very techy Christmas

If you've got a tech-loving smartphone enthusiast to buy for, we can help you out. Here's a selection of top phone accessories that would make amazing stocking stuffers so you can have a very Merry Christmas.
Product Review

The Black Shark gaming phone takes a big bite out of your free time, but the software sinks it

The world is being treated to an ever-increasing number of high-powered gaming phones. With so many great options already out, is there room for another? The Black Shark thinks so. But is it any good? We find out.

OnePlus's 5G phone should arrive in May 2019, may cost up to $850

OnePlus will be among the first companies to put the new Snapdragon 855 processor into a phone, and will also release a separate and more expensive 5G phone in 2019 with the help of U.K. network EE.

Santa Claus is coming to town. Get ready with these Christmas apps

Like it or not, Christmas comes but once a year. Thankfully, we've got a list of the best Christmas apps to help get you into the holiday spirit, just in case you want to call Santa or become a Christmas elf.

Xiaomi’s Gamepad 2.0 turns the Black Shark into a mini Switch

Chinese phone manufacturer Xiaomi has introduced the Gamepad 2.0 for its Black Shark gaming phone that launched earlier this year. The new gamepad is similar to the Switch Joy-Con, with one piece attaching to each side of the phone.

Google makes it easy to donate to charity straight through the Play Store

As we head into the holiday season, Google announced a new feature on Google Play that makes it a little easier to donate to charity. Through the new page, you'll be able to choose from a range of charities to donate to.

REI clearance sale extends discounts on Garmin, Fitbit, and GoPro devices

Beyond the things you typically expect to find at REI — like tents, skis, and jackets — there are tons of great deals on quality tech foryour outdoor adventures. From smartwatches to action cameras, here are the best tech deals.

These are the best smartwatches for everything from fashion to fitness

Tempted to buy a smartwatch? If so, then the growing number of great models available means you've got plenty to choose from. But which one should you pick? Here is our list of the best smartwatches.

Sprint’s 5G rollout: Everything you need to know

Sprint is building its next-gen 5G network in preparation for a 2019 rollout, but it's taking a decidedly different approach than some of its competitors, including Verizon and AT&T. Here's everything you need to know.