PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Samsung: Hacking Samsung Pay is Very Difficult

Samsung played down a security researcher's claims that hackers could steal digital tokens to make fraudulent purchases.

Tom Brant
 & Tom Brant Managing Editor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Samsung this week disputed a security researcher's claims that the Korean tech giant's mobile payments system was vulnerable to hacking.

For each transaction, the Samsung Pay app creates a unique digital token that represents the account holder's credit or debit card information. In a research paper prepared for the Def Con hacking conference, security expert Salvador Mendoza claimed that the tokenization process could leave a consumer's financial information vulnerable.

Hackers can exploit the vulnerability by tricking Samsung Pay into reusing a token for multiple transactions, Mendoza wrote. In addition to guessing a token using brute force methods, a hacker could jam the transaction and force Samsung Pay to generate a new token, which he or she could then steal.

The entire process could be completed with little more than a Raspberry Pi and a device called a MagSpoof, which acts as a jammer to confuse a nearby payment terminal, according to Mendoza. Unlike competing contactless payment apps from Apple and Android, Samsung Pay can use the same magnetic strips found in plastic credit cards to complete a transaction.

Samsung did not deny that a hacker could steal its digital tokens, but the company explained that stolen tokens alone are not sufficient to make an unauthorized charge. Samsung Pay checks each transaction against a counter, which tracks the sequence of transactions and determines whether an attempted purchase is older than the last one approved.

The app also requires a secret key, called a cryptogram, in addition to a valid counter check and digital token. These requirements make it unlikely that Mendoza's approach would work in practice. Even if it did, the Samsung Pay app alerts users after each transaction, Samsung explained, making it easy for them to spot and dispute fraudulent charges with their bank.

About Our Expert

Tom Brant

Tom Brant

Managing Editor

I’m a managing editor at PCMag.com focused on PC hardware. Reading this during the day? Then you've caught me testing gear and editing reviews of Wi-Fi routers, printers, laptops, and tons of other personal tech. (Reading this at night? Then I’m probably dreaming about all those cool products.) I’ve covered the consumer tech world as an editor, reporter, and analyst since 2015.

I've covered most major consumer tech events, including CES, Computex, Google I/O, and IFA. I've also appeared on CBS News, in USA Today, and at many other outlets to offer analysis on breaking technology news.

Before I joined the tech-journalism ranks, I wrote on topics as diverse as Borneo's rainforests, Middle Eastern airlines, and Big Data's role in presidential elections. A graduate of Middlebury College, I also have a master's degree in journalism and French Studies from New York University.

The Technology I Use

While most people buy a phone or laptop and stick with it for years, I’m lucky enough to use devices based on Android, iOS, macOS, and Windows daily as part of my job. As a result, I cycle through lots of tech in addition to my IT-issue work laptop. (Yes, that's a ThinkPad.) Personally, I’ve also owned a lot of tech products both cutting-edge and cringeworthy, from the Nintendo GameCube and the original MacBook to the Palm m105 and the CueCat.

Read the latest from Tom Brant

Read full bio