Samsung Pay Security Exposed; Company Calls Reports ‘Inaccurate’ But Doesn’t Refute Them
A computer science student and security researcher has found a chink in the armor of Samsung Pay’s security in the form of a weak tokenization process that could lead to fraudulent purchases. Newer Samsung phones are equipped with a magnetic-based contactless payment system that converts payment card information into tokens, so card data cannot be stolen from the device. However, as more tokens are created, future tokens become predictable and can be stolen and used in other devices to make fraudulent purchases, according to Salvador Mendoza, who was a speaker at a recent information security conference in Las Vegas.
To pilfer tokens, Mendoza built a device that wirelessly steals magnetic secure transmission—the signal that mimics the magnetic stripe on a payment card—when he picks up someone’s phone, and then the device emails the token to him so he can transfer it to another phone, according to a ZDNet report. Or, the device can be hidden near a card reader and used like a traditional card skimmer. Although credit, debit and prepaid cards are susceptible to this type of attack, gift cards are safe because Samsung Pay uses a bar code to be scanned instead of transmitting a signal, he said.
Samsung issued a statement Aug. 7, stating that it was aware of the “inaccurate” report about Samsung Pay’s security. However, company officials didn’t explain what was inaccurate, nor did they dispute Mendoza’s claims. Samsung Pay is built with “highly secure technology,” according to the company’s statement, which then said that the mobile wallet’s process for replacing payment card data with encrypted, single-use tokens is used to make payments. “Multiple layers of security from Samsung Pay and our partners are in place to detect threats to security,” the company added.