Researcher warns of flaws in Samsung Pay tokenisation and mag stripe features

A researcher presenting at Black Hat claims to have found vulnerabilities in Samsung Pay's tokenisation mechanism and its magnetic secure transmission (MST) contactless payment technology that could allow hackers to steal users' tokens and make fraudulent purchases.

According to researcher Salvador Mendoza, Samsung's tokenisation process, which replaces payment card data with random symbols during transactions to render the data useless to thieves, is not as randomised as it could be, potentially allowing malicious hackers to ultimately guess future tokens.

Additionally, Mendoza showed that attackers can steal tokens from an individual's phone using a device that steals over-the-air signals from Samsung's MST technology, which mimics the magnetic stripes of payment cards  to enable purchases at older point-of-sale terminals. Mendoza created a video on YouTube to demonstrate this process, using his own device that he named TokenGet.

Samsung later disputed the findings in an official statement, noting: “We are aware of a recent and inaccurate report regarding the security of Samsung Pay. “We would like to clarify that Samsung Pay is built with highly secure technology and is the most widely accepted mobile payment solution available today.”

In comments emailed to SCMagazine.com. George Rice, senior director of payments at HPE Security - Data Security, said that Mendoza's presentation shows that “payment tokens still have value to criminals who may capture and use stolen payment tokens for fraudulent transactions. Businesses and consumers must recognise that mobile devices are inherently insecure data environments, and use a combination of encryption and tokenisation to achieve maximum protection of sensitive data.”

“Techniques like format-preserving encryption allow mobile wallets to encrypt credit card information, payment tokens and personal information immediately upon capture so the data is useless if even stolen by data thieves,” Rice continued.

Sign up to our newsletters