Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Researcher warns of flaws in Samsung Pay tokenization and mag stripe features


A researcher presenting at Black Hat claims to have found vulnerabilities in Samsung Pay's tokenization mechanism and its magnetic secure transmission (MST) contactless payment technology that could allow hackers to steal users' tokens and make fraudulent purchases.

According to researcher Salvador Mendoza, Samsung's tokenization process, which replaces payment card data with random symbols during transactions to render the data useless to thieves, is not as randomized as it could be, potentially allowing malicious hackers to ultimately guess future tokens.

Additionally, Mendoza showed that attackers can steal tokens from an individual's phone using a device that steals over-the-air signals from Samsung's MST technology, which mimics the magnetic stripes of payment cards in order to enable purchases at older point-of-sale terminals. Mendoza created a video on YouTube to demonstrate this process, using his own device that he named TokenGet.

Samsung later disputed the findings in an official statement, noting: “We are aware of a recent and inaccurate report regarding the security of Samsung Pay. “We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today.”

In comments emailed to George Rice, senior director of payments at HPE Security - Data Security, said that Mendoza's presentation shows that “payment tokens still have value to criminals who may capture and use stolen payment tokens for fraudulent transactions. Businesses and consumers must recognize that mobile devices are inherently insecure data environments, and use a combination of encryption and tokenization to achieve maximum protection of sensitive data.”

“Techniques like format-preserving encryption allow mobile wallets to encrypt credit card information, payment tokens and personal information immediately upon capture so the data is useless if even stolen by data thieves,” Rice continued.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.