Security researcher Salvador Mendoza recently discovered a security flaw in Samsung Pay and discussed it during his Black Hat talk in Las Vegas. Basically Samsung Pay generates tokens each time a transaction is made. The idea is that this will mask the credit card information so that in the event it is intercepted, the details can’t be seen by the hacker. However according to Mendoza, he claims that with every token that Samsung Pay generates, the process becomes weaker and weaker till the point where if used enough times, a hacker could predict future tokens and steal them for use in another device. George Rice, senior director, payments at HPE Security – Data Security commented below.
George Rice, Senior Director, Payments at HPE Security:
“Mobile devices offer many consumer conveniences, which are often driven by the quick and easy access to sensitive data. Mobile payments applications like Samsung Pay are no different, storing an individual’s preferred payment cards in its phone-based app. Many mobile wallet providers use surrogate card values called payment tokens to reduce exposure of sensitive data when transmitting to the payment acceptance business. This announcement of Samsung Pay’s security flaw highlights that payment tokens still have value to criminals who may capture and use stolen payment tokens for fraudulent transactions. Businesses and consumers must recognise that mobile devices are inherently insecure data environments, and use a combination of encryption and tokenization to achieve maximum protection of sensitive data. Techniques like format-preserving encryption allow mobile wallets to encrypt credit card information, payment tokens and personal information (e.g. date of birth, SSN) immediately upon capture so the data is useless if even stolen by data thieves.”