On its website, Samsung said: “Keeping payment information safe is a top priority for Samsung Pay, which is why Samsung Pay is built with highly advanced security features. It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms. Samsung Pay is considered safer than payment cards because it transmits one-time-use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.”
At a recent Black Hat Security confab in Las Vegas, Salvador Mendoza, a security analyst, showcased a flaw in Samsung Pay’s tokenization process that can enable a hacker to figure out a purchaser’s credit card number. Tokenization generates a string of random numbers and letters used to hide payment details that could be used to exploit somebody. The researcher said that, when credit card and debit card numbers are added to Samsung Pay and assigned a specific token, future tokens become easier to guess. The security analyst couldn’t explain why this happens.
According to a report, the flaw with Samsung Pay happens at transaction time with its magnetic secure transmission technology, which is incorporated into the Galaxy line of smartphones, and enables customers to pay with Samsung Pay even if the merchant has an old cash register. When someone is purchasing something using Samsung Pay, a chip within the phone sends off a signal that acts as the magnetic strip on a credit or debit card. That is convenient for shoppers but presents an opportunity for hackers to collect a token, which can then be used to figure out other tokens. While the flaw exists, capturing that seed token isn’t a relative walk in the part. Mendoza did acknowledge it requires the hacker to have special hardware that can spoof the magnetic payment terminals and access the person’s phone. Still, he did say it isn’t impossible and put proof to his words by showing off an open-source prototype that is small enough to be concealed but could do the job. Mendoza even said the skimming process could be automated.