A security researcher says it isn’t too hard to defraud Samsung Pay users.
Speaking at a recent Black Hat security conference, Salvador Mendoza said that the encryption used to mask the payment data in Samsung Pay transactions can actually be predicted if you monitor the token output over a certain period. And Mendoza had developed a device that can track those security tokens wirelessly as they are sent out via Samsung’s magnetic secure transmission (MST) technology, which is the technology that allows Samsung Pay to emulate traditional swipe-based payment cards. In other words, a fraudster can secretly monitor transaction data, and then use it to make new security tokens for fraudulent transactions.
Samsung has already responded to Mendoza’s claims with a statement asserting that its system is, in fact, secure. In a statement, the company outlined the encryption process, noting that “Multiple layers of security from Samsung Pay and our partners are in place to detect threats to security.” While the response is somewhat vague with respect to the specific system used by Mendoza, it’s also worth noting that there haven’t yet been any reports of fraudsters actually hacking Samsung Pay accounts the way Mendoza described.
This isn’t the first time Samsung has had to deal with a security issue related to MST. Ahead of the launch of Samsung Pay, LoopPay, the company that provided its MST technology, suffered a security breach against its corporate network. When the fiasco came to light, Samsung launched its own investigation, at the same time insisting that user data was safe while proceeding with the US launch of Samsung Pay. There have not been any reports of compromised user accounts stemming from the incident.