Samsung Pay has surprisingly been enjoying a significant amount of popularity and support in the US, rivaling even Apple Pay. Part of its success can perhaps be attributed to its Magnetic Secure Transmission or MST, a technology it acquired from LoopPay, which allows Samsung Pay to be used with traditional magstrip-based terminals. It seems, however, there might be a very high price to pay for that convenience. In a talk at the Black Hat security conference in Las Vegas, researcher Salvador Mendoza showed how easy it was to steal Samsung Pay’s MST data so that hackers and thieves can use credit card data with almost no restrictions.
The primary culprit here is a limitation that Mendoza found in Samsung Pay’s tokenization process. Like other mobile payment systems, Samsung Pay generates a token for each user’s credit card data so that it cannot be pilfered off the user’s smartphone. Unfortunately, Samsung Pay’s particular tokenization algorithms allegedly produce weaker and weaker tokens as more tokens are generated. This means each subsequent token is easier to predict or hack than the ones before it.
As if it that weren’t bad enough, apparently Samsung Pay’s MST feature makes it easy to steal those token’s off a smartphone. With a contraption nearby or even an outright skimming device on a POS, Mendoza was able to easily wirelessly steal token data and e-mail those to himself to be used on another device later on.
Once those two factors have come into play, the sky’s the limit in using the credit card associated with that token. The data can be used on any device supported by Samsung Pay. And it can even be used in markets where Samsung Pay isn’t even available yet.
If the situation is really as dire as Mendoza paints it, then it’s a pretty damning case against Samsung Pay, especially as it strikes at one of the key features of the service. Then again, the growing number of NFC-based terminals in the US might make it easier to remove MST altogether. But whether MST or NFC, Samsung Pay’s tokenization should be fixed and quickly, especially if Samsung wants to remain in the running as one of the biggest mobile payment systems.
UPDATE: Samsung has issued the following statement: