Samsung Pay: Tokenized Numbers, Flaws and Issues

DerbyCon 6.0 - Recharge

Presented by: Salvador Mendoza
Date: Sunday September 25, 2016
Time: 10:30 - 10:55
Location: Pimlico
Track: Stable Talks

Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security. Using random tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal a token from a Samsung phone and use it without restrictions on other devices. Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card. How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security. What are the odds to guess the next tokenized number knowing the previous one?

Salvador Mendoza

Modesto Junior College student


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats