Security researcher Salvador Mendoza recently discovered a security flaw in Samsung Pay and discussed it during his Black Hat talk in Las Vegas. Basically Samsung Pay generates tokens each time a transaction is made. The idea is that this will mask the credit card information so that in the event it is intercepted, the details can’t be seen by the hacker. However according to Mendoza, he claims that with every token that Samsung Pay generates, the process becomes weaker and weaker till the point where if used enough times, a hacker could predict future tokens and steal them for use in another device. George Rice, senior director, payments at HPE Security – Data Security commented below.
George Rice, Senior Director, Payments at HPE Security:
“Mobile devices offer many consumer conveniences, which are often driven by the quick and easy access to sensitive data. Mobile payments applications like Samsung Pay are no different, storing an individual’s preferred payment cards in its phone-based app. Many mobile wallet providers use surrogate card values called payment tokens to reduce exposure of sensitive data when transmitting to the payment acceptance business. This announcement of Samsung Pay’s security flaw highlights that payment tokens still have value to criminals who may capture and use stolen payment tokens for fraudulent transactions. Businesses and consumers must recognise that mobile devices are inherently insecure data environments, and use a combination of encryption and tokenization to achieve maximum protection of sensitive data. Techniques like format-preserving encryption allow mobile wallets to encrypt credit card information, payment tokens and personal information (e.g. date of birth, SSN) immediately upon capture so the data is useless if even stolen by data thieves.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…