At the Black Hat Security conference in Las Vegas last week, security analyst Salvador Mendoza demonstrated a flaw in Samsung Pay’s tokenization process, the string of numbers and letters the platform randomly generates to obfuscate payment details, that could allow a hacker to “guess” at a purchaser’s credit card number. Tokens could be predicted, he explained: After a specific credit or debit card is added to Samsung Pay and associated with a specific token, future tokens inexplicably become “weaker” and easier to guess.
Central to the flaw’s execution is Samsung’s magnetic secure transmission technology, a feature on the company’s newest flagship Galaxy phones which lets users pay at legacy registers. At transaction time, a specialized chip within the phone emits a signal which mimics the magnetic strip on a credit card. The terminal processes a physical swipe as usual — an undoubted convenience at retailers contactless-compatible payments terminals. But it also provides a means to collect the initial, “seed” token from which the others can be deciphered, Mendoza said.
Obtaining the token isn’t necessarily easy — it requires special hardware that’s capable of spoofing a magnetic payments terminal, first of all, and furthermore access a victim’s phone. But it’s far from impossible. Mendoza designed an open source prototype that’s small enough to transport — during the Black Hat demonstration, he strapped it to his arm — and perhaps more worryingly, easily concealed within off-the-shelf terminal hardware. The skimming process can be automated, even — Mendoza’s mock-up forwarded intercepted tokens to an e-mail inbox.
Once the initial payment token is intercepted, a user’s future tokens can be easily guessed, Mendoza said. He sent a generated token to a friend in Mexico who was able to purchase an item from a vending machine with magnetic spoofing hardware — despite the fact that Samsung Pay isn’t even available in Mexico.
Nothing precludes “every credit card, debit card, or prepaid card from any affiliated bank” from susceptibility, Mendoza said — since Samsung Pay pay generates tokens indiscriminately, one is no less predictable than another. But he offered some consolation: gift cards are safe. That’s because Samsung Pay generates a bar code for gift cards rather than a transmittable token.
Last week, Samsung issued a statement which characterized Mendoza’s research as “inaccurate” and misleading. “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform,” a spokesperson said. “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.”
The company offered a more detailed rebuttal on Monday:
We are aware of a recent and inaccurate report regarding the security of Samsung Pay. We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today.
Each Samsung Pay transaction uses a digital token to replace a card number. The encrypted token combined with certificate information goes through multiple security layers and can be used only once to make a payment. Samsung Pay is designed so that merchants and retailers cannot see or store the actual card data, and our customers are notified with each transaction. Multiple layers of security from Samsung Pay and our partners are in place to detect threats to security.
Security is our number one priority at Samsung — and always will be. We are committed to securing and protecting user data.
Samsung Pay is off to an amazing start and we are proud to offer the only mobile payment option that works almost anywhere you can swipe or tap a card today.
We’ve reached out to the company for clarification.
Security experts have warned that mobile payments security, broadly speaking, isn’t as ironclad as advertised. A survey of over 900 cybersecurity professionals conducted as part of ISACA’s 2015 Mobile Payment Security Study found that nearly half, or 47 percent, believe that mobile payments carried significant risks, and that most didn’t have faith in current mechanisms to prevent hacks — more than 87 percent said they expected a “surge” in mobile payments data breaches in the next year.
