Samsung Pay flaw lets thieves remotely collect credit card credentials

“Samsung Pay’s legacy point-of-sale system compatibility mode may be insecure, as a token theft and remote use vulnerability was demonstrated by a security researcher at the Black Hat conference,” Mike Wuerthele reports for AppleInsider.

“The potential security flaw, demonstrated by security analyst Salvador Mendoza at the Black Hat security conference, relies on Samsung’s “magnetic secure transmission” central to Samsung Pay’s ability to work at existing magnetic stripe point-of-sale terminals,” Wuerthele reports. “A proof of concept magnetic hardware capture device was demonstrated by Mendoza at the conference. His prototype build was strapped to his arm, and forwarded intercepted tokens to an email address. The prototype is also sufficiently small to be hidden inside a point of sale terminal.”

Wuerthele reports, “Samsung claims that the skimming attack which results in a token relay to a third party is a ‘known issue’ and is an ‘acceptable’ potential risk, given the difficulty of executing the attack.”

Read more in the full article here.

MacDailyNews Take: Since you’d have to be brain-dead to use Samsung Pay in the first place, but you couldn’t since you’d unfortunately be brain-dead, it’s easily the most secure payment system the world has ever seen.

Anyone who trusts Samsung Pay is either batshit insane or already insolvent.MacDailyNews, October 7, 2015

Samsung Pay’s profitless model gets a ‘failing grade’ but it provides free insight into consumer behavior – March 8, 2016
Apple Pay is crushing Samsung Pay – February 27, 2016
Chinese hackers infiltrated LoopPay, whose tech is central to ‘Samsung Pay’ – October 7, 2015
Struggling Samsung delays rollout of mobile payment service – June 3, 2015
Google demos Apple Pay wannabe, ‘Android Pay’ – May 28, 2015
Samsung’s LoopPay payment move creates friction with Google – February 20, 2015

[Thanks to MacDailyNews Reader “Dan K.” for the heads up.]


  1. Well, it serves Samsung’s customers right — they should not have supported immoral thieves and pirates by being a Samsung device in the first place.

    1. The vast majority of people have no knowledge of any companies prior history, nor do they care.
      Someone who gets a BOGO deal on a Samsung phone or actually likes Samsung devices does not deserve to be targeted by thieves or suffer identity theft.
      If you think they are, you are a brain dead zealot and characterise everything wrong with rampant fanboyism.

        1. Sorry, peterblood71, but I have to side with Nekogami on this issue. We should not celebrate property or identity theft or wish it on anyone (Putin might be a rare exception!). Owning a Samsung device is not justification for wishing misfortune upon someone, no matter how much you or I may dislike the company.

          Also, as Nekogami13 accurately points out, most people are unaware of Samsung’s slavish copying or the privacy and security issues with using Google Android. They don’t know and they don’t really care (until it gets them). But ignorance and apathy, no matter how irritating, is not justification for ill-wishing.

          Apple advocates have resorted to overzealous posts and attacks in the past and the negative stereotype still lingers – fanboys, lemmings, etc. Those types of negative actions harm us and Apple by turning people away from the Mac and iOS. We need to gently and politely advocate the Mac and iOS to people who are open to the idea…people who are questioning their Samsung or HP devices and are curious about the Apple ecosystem. It is harmful to aggressively push Apple products – people tend to shy away from that. And it is also highly counterproductive (and unfair) to adopt the disparaging attitude that MDN regularly promotes in describing clients of Samsung, Google, etc. People do not generally change their mind when you insult them.

          The best way to promote Apple products is to show them how well they work for you. Let them make the decision to switch, and offer them support when they decide to do so. That is the way to “convert” someone. And be fair and open about it – people may have valid reasons not to switch to the Mac or iOS and that is fine. Don’t hassle them about it or they might never consider switching again, even when the situation changes and the perceived roadblock no longer exists.

          Use restraint. Show compassion. And show some freaking class.

          1. My criticism of Nekogami13 was in his last sentence and how unnecessary it was, not the Samsung issue at all. He succumbed in a way unnecessary to his points and only dissembled and negated it in the process. I’m no choir boy either but it just hit me wrong.

            I disagree with you to the extent it’s good if people can differentiate, even at the cost of a harsh lesson, between what companies focus on cheap/good enough, data mining & poor security and others on quality/security. Eye opening experiences are not a bad thing.

            Class? That was my criticism of him actually. Restraint and compassion was not a quality Nekogami13 possessed which brought about my response. His last sentence should not have been said. There was nothing remotely unclassy in my response to him. On this forum we see lots of subpar low class behavior, most of it from the visiting Tim Cook hating trolls. Would that the Internet was a more civil place but it ain’t. I don’t search for or create trouble in the first place but I don’t ignore either.

            1. “… Someone who gets a BOGO deal on a Samsung phone or actually likes Samsung devices does not deserve to be targeted by thieves or suffer identity theft.
              If you think they are, you are a brain dead zealot and characterise everything wrong with rampant fanboyism.”

              “My criticism of Nekogami13 was in his last sentence and how unnecessary it was, not the Samsung issue at all. He succumbed in a way unnecessary to his points and only dissembled and negated it in the process.”

              Really? You should read what Nekogami13 said again. Sounds to me like he stated it exactly ‘as-is’.

            2. I might suggest you do the same or are suffering from the same lack of coherent class. Calling people brain dead and rampant fanboys is not the way to make intelligent points. He could have said it differently and made the same conclusion, but that’s not the way of today’s rude ‘n crude Internet types hiding under pseudonyms.

      1. Nekogami13,

        Yet it is in people’s own best interests to be informed. Question: Why do thieves steal things? Answer: to get something for nothing. Would you rather trust a thief or a hard-working innovator with your privacy and confidential data? The vast majority of people would presumably say: with a hard-working innovator.

        Everyone deserves to be a health, wealthy, and wise. No one deserves to be targeted by thieves of suffer identity theft, I agree.

        But if you buy stuff from a thief, they you should not be surprised if it is not as good as the hard-working innovator’s original product. Years ago I bought a video of a new-release film on a street corner in NYC at a silly cheap price — “it’s a steal, man, it’s a steal” is what the hawker said. Got home and, you know what, it _was_ a steal. Dude stole my money! The video was blank. Good lesson learned. Ultimately, you get what you pay for.

        The fundamental rule of economics: caveat emptor. Let the buyer beware.

        No, I don’t wish ill on anyone. But if you are gonna buy a piece of crap, don’t be surprised when it craps out on you. You get what you pay for. Or the thief does…

  2. No one can steal from a samsung or any other android user because for starters, they don’t have any money you can steal from them. Why do you think they settled with a crappy iPhone imitation in the first place?

  3. How in the world is that an acceptable risk? The whole point of contactless payments is to be more secure than the magnetic stripe technology they’re replacing. Every person with a Samsung pay terminal needs to disable the functionality asap to protect their customers. There are plenty of smart criminals in the world who could easily execute this attack, and probably already have. Get an iPhone with a secure enclave, and completely anonymous Apple Pay, and stop buying this derivative insecure garbage. And the first person this happens to should sue the living shit out of Samsung for knowingly not patching a vulnerability.

      1. Actually, yes. If Apple Pay had that same flaw I would say the same thing provided Apple responded the same way. The issue isn’t the vulnerability itself, the issue is that Samsung knows about it and calls it an “acceptable risk” and won’t patch it. But historically if something like this is discovered in an apple product, they patch it almost immediately. The issue at hand is samsungs willful neglect of the responsibility to correct the issue.

  4. Readers may recall that certain banks, notably in Australia have demanded special access to the inner workings of IOS so that they can create their own payment services. This Samsung debacle demonstrates why Apple should not allow others to try and create alternative payment systems on IOS. If this had been a story about a third-party payment app on an iPhone being fundamentally flawed, there would be huge headlines all around the world shouting about security problems with payments on iPhones. In some articles, the small print might possibly have mentioned that Apple Pay was unaffected, but I wouldn’t bet on them saying that and readers would certainly have gone away with the impression that there was a problem with iPhones.

    Samsung may regard this exploit as an acceptable risk, but Apple doesn’t settle for ‘good enough’.

    By fully integrating all the security features of iPhones and keeping them strictly under Apple’s control, Apple can offer a truly secure and easy to use payments system. There is no practical middle course.

  5. FUD. Samsung Pay works with tokenization just like Apple Pay. The difference is that Samsung has a magnetic transmitter that allows it to work at any point of sale terminal. The magnetic range is inches, so to steal a token you would have to hold the phone up to the perp’s skimmer and activate Samsung Pay. Then the user would still get a payment notification if the perp used the token for a purchase.
    This is like saying Apple Pay is insecure because I was able to knock out the Watch owner and prop his arm up to the reader.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.