Security Flaw In Samsung Pay Highlighted At Recent Security Confab

Mobile payments are all the rage and rightfully so. They make purchasing easy to do and require consumers to carry one less item on them. But there is also a dark side of mobile payments, and it’s apparently rearing its head with Samsung Pay. That’s according to a security researcher that found a limitation in Samsung Pay’s security, which, if compromised, can enable someone with another phone to make fraudulent payments.

At a recent Black Hat Security confab in Las Vegas, Salvador Mendoza, a security analyst, showcased a flaw in Samsung Pay’s tokenization process that can enable a hacker to figure out a purchaser’s credit card number. Tokenization generates a string of random numbers and letters used to hide payment details that could be used to exploit somebody. The researcher said that, when credit card and debit card numbers are added to Samsung Pay and assigned a specific token, future tokens become easier to guess. The security analyst couldn’t explain why this happens.

According to a report, the flaw with Samsung Pay happens at transaction time with its magnetic secure transmission technology, which is incorporated into the Galaxy line of smartphones. It enables customers to pay with Samsung Pay even if the merchant has an old cash register. When someone is purchasing something using Samsung Pay, a chip within the phone sends off a signal that acts as the magnetic strip on a credit or debit card. That is convenient for shoppers but presents an opportunity for hackers to collect a token, which can then be used to figure out other tokens.

While the flaw exists, capturing that seed token isn’t a relative walk in the part. Mendoza did acknowledge it requires the hacker to have special hardware that can spoof the magnetic payment terminals and access the person’s phone. Still, he did say it isn’t impossible and put proof to his words by showing off an open-source prototype that is small enough to be concealed but could do the job. Mendoza even said the skimming process could be automated.