Security & Fraud

Samsung Denies Samsung Pay Can Be Hacked Via The Tokenization Process

Samsung Pay Citibank Singapore

Samsung is out on Tuesday (Aug. 9) denying that Samsung Pay can be hacked after a security researcher demonstrated how it can be done at a recent Black Hat conference.

On its website, Samsung said: “Keeping payment information safe is a top priority for Samsung Pay, which is why Samsung Pay is built with highly advanced security features. It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms. Samsung Pay is considered safer than payment cards because it transmits one-time-use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.”

At a recent Black Hat Security confab in Las Vegas, Salvador Mendoza, a security analyst, showcased a flaw in Samsung Pay’s tokenization process that can enable a hacker to figure out a purchaser’s credit card number. Tokenization generates a string of random numbers and letters used to hide payment details that could be used to exploit somebody. The researcher said that, when credit card and debit card numbers are added to Samsung Pay and assigned a specific token, future tokens become easier to guess. The security analyst couldn’t explain why this happens.

According to a report, the flaw with Samsung Pay happens at transaction time with its magnetic secure transmission technology, which is incorporated into the Galaxy line of smartphones, and enables customers to pay with Samsung Pay even if the merchant has an old cash register. When someone is purchasing something using Samsung Pay, a chip within the phone sends off a signal that acts as the magnetic strip on a credit or debit card. That is convenient for shoppers but presents an opportunity for hackers to collect a token, which can then be used to figure out other tokens. While the flaw exists, capturing that seed token isn’t a relative walk in the part. Mendoza did acknowledge it requires the hacker to have special hardware that can spoof the magnetic payment terminals and access the person’s phone. Still, he did say it isn’t impossible and put proof to his words by showing off an open-source prototype that is small enough to be concealed but could do the job. Mendoza even said the skimming process could be automated.



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border. Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.

Click to comment