Samsung Pay Susceptible To Credit Card Skimming, Although Attacks Are 'Highly Unlikely'

Many have touted mobile payments and digital wallets like Apple Pay and Android Pay as being more secure and convenient than regular plastic credit cards. It turns out these mobile methods can be just as vulnerable to scams as more traditional payment methods. In fact, Samsung recently confirmed that Samsung Pay is susceptible to wireless credit card skimming.

How does Samsung Pay work? Samsung Pay actually utilizes several methods to keep customer information secure. Unlike some other mobile payment options, Samsung Pay can also use a magnet in order to transmit information. Magnetic Secure Transmission or MST essentially shoots out a magnetic code from a small coil in the phone that credit card machines can read.

mendoza demonstration

Samsung Pay also uses tokenization, which sets up a temporary Visa or Mastercard numbers when customers make a payment. Tokens have no meaning by themselves and are worthless to criminals if a company’s system is breached in any way. The information is then  stored in a "trusted execution environment” which is further isolated from any other app.

Salvador Mendoza, during a Black Hat talk in Las Vegas on August 4th, demonstrated that Samsung Pay could be breached. He argued Samsung uses a specified algorithm that encrypts payment credentials or generates cryptograms.

Samsung refuted Mendoza's claim that it utilizes the specified algorithm, however, it did admit that the payment method could be vulnerable to wireless credit card skimming. A scammer, for example, could ask to demonstrate Samsung Pay to unsuspecting customers, and then use a hidden wireless scanner to intercept a few tokens.

Thankfully, credit card numbers would not be compromised by this scam. A token could only be used within twenty-four hours, could only be intercepted if the scanner was a few inches away from the phone, and could only be used if a customer was unable to complete their transaction. 

Is Samsung Pay vulnerable to scams? Mendoza has demonstrated that this statement is true and Samsung has confirmed it. Luckily the scamming process is rather labor intensive and relies upon a number of specific variables.