Samsung Pay flaws discovered- your device may be in danger

It is generally believed that contactless payments are the most secure modes of payments, but a researcher has revealed that tokenization system used by Samsung Pay is incredibly easy to predict and steal.

The security researcher recently stole a token generated by Samsung Pay and used it to make a purchase from a different device.

What is Samsung Pay Mini? All you need to know

In July of last year, Samsung joined hands with MasterCard to launch its contactless payment system across the globe starting with the United States and South Korea. MasterCard's MDES technology enables tokenization of credit, debit, co-brand, prepaid and small business cards for use in e-wallet services. Samsung also acquired wireless payment system LoopPay with a view to counter the increasingly popular Apple Pay wireless payment technology. Using add-on devices for smartphones, LoopPay can transmit stored credit card information to magnetic card readers to ensure smooth payments.


Salvador Mendoza, the researcher in question, recently demonstrated via a YouTube video that the tokens generated by Samsung Pay can be easily predicted. Once stolen, such tokens can be used to make fraudulent transactions without the knowledge of the account holder, just like someone getting hold of your debit card and PIN and making transactions in a shop.

Mendoza didn't get his hands on a bunch of tokens yet to be issued by Samsung Pay but said that the tokenization process happens in such a way that anyone can predict their codes. The stolen tokens can then be used to make contactless payments even in regions where Samsung Pay is not yet available. He sent over a token to his friend in Mexico who then went on to make a purchase using magnetic spoofing hardware.

Move over Apple, Samsung Pay is set to rock n' roll

Mendoza stole the token by using a specific hardware which can detect secure transmission (MST) in Samsung phones. Whenever placed near a phone with Samsung Pay installed, the hardware can store all the tokens generated by the Samsung Pay app and can send them over to an e-mail address, the user of which can then go on to make as many purchases as he wants. The Magnetic Secure Transmission (MST) system generates a magnetic field that links up with that of the card readers to facilitate the flow of information. If the hardware created by Mendoza is installed in card readers, then stealing tokens would be as easy as making payments using Samsung Pay.

Given that both Apple Pay and Android Pay also use the tokenization method to help users perform contactless transactions, we wonder if like Samsung Pay, they too are equally vulnerable to such flaws. If they are, then the contactless payments industry is due for a course correction as soon as possible.

Leave a Comment