Security & Fraud

Samsung Denies Samsung Pay Can Be Hacked Via The Tokenization Process

Samsung Pay Citibank Singapore

Samsung is out on Tuesday (Aug. 9) denying that Samsung Pay can be hacked after a security researcher demonstrated how it can be done at a recent Black Hat conference.

On its website, Samsung said: “Keeping payment information safe is a top priority for Samsung Pay, which is why Samsung Pay is built with highly advanced security features. It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms. Samsung Pay is considered safer than payment cards because it transmits one-time-use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.”

At a recent Black Hat Security confab in Las Vegas, Salvador Mendoza, a security analyst, showcased a flaw in Samsung Pay’s tokenization process that can enable a hacker to figure out a purchaser’s credit card number. Tokenization generates a string of random numbers and letters used to hide payment details that could be used to exploit somebody. The researcher said that, when credit card and debit card numbers are added to Samsung Pay and assigned a specific token, future tokens become easier to guess. The security analyst couldn’t explain why this happens.

According to a report, the flaw with Samsung Pay happens at transaction time with its magnetic secure transmission technology, which is incorporated into the Galaxy line of smartphones, and enables customers to pay with Samsung Pay even if the merchant has an old cash register. When someone is purchasing something using Samsung Pay, a chip within the phone sends off a signal that acts as the magnetic strip on a credit or debit card. That is convenient for shoppers but presents an opportunity for hackers to collect a token, which can then be used to figure out other tokens. While the flaw exists, capturing that seed token isn’t a relative walk in the part. Mendoza did acknowledge it requires the hacker to have special hardware that can spoof the magnetic payment terminals and access the person’s phone. Still, he did say it isn’t impossible and put proof to his words by showing off an open-source prototype that is small enough to be concealed but could do the job. Mendoza even said the skimming process could be automated.



B2B APIs aren’t just for large enterprises anymore — middle-market firms and SMBs now realize their potential for enabling low-cost access to real-time payments and account data. But those capabilities are only the tip of the API iceberg, says HSBC global head of liquidity and cash management Diane Reyes. In this month’s B2B API Tracker, Reyes explains how the next wave of banking APIs could fight payments fraud and proactively alert middle-market treasurers to investment opportunities.

Click to comment