Samsung Pay: An Early Examination of Security

March 13, 2015

At the Mobile World Congress in Barcelona earlier this month, Android smartphone giant, Samsung, released its mobile payments platform, Samsung Pay. The name will almost certainly draw comparisons to Apple Pay, the mobile payments platform of Samsung’s biggest competitor. However, Samsung Pay has something that Apple Pay does not: Magnetic Secure Transmission (MST).

samsung-pay-vk

MST was actually developed by a company called LoopPay. In mid-February, Samsung quietly acquired LoopPay. While use of Apple Pay is limited to those merchants who deploy near-field-communication enabled point-of-sale terminals, the inclusion of MST means that Samsung Pay has the capacity to interface with existing mag-stripe reading point-of-sale systems. Magnetic stripe readers, of course, constitute the vast majority of payment terminals, particularly in the United States where Chip and PIN (EMV) adoption lags. That said, Samsung Pay is also reportedly NFC-ready, though the company is being tight-lipped about its new payment app.

We aren’t particularly interested in wading into the never-ending Apple vs. Samsung argument here at the Kaspersky Daily, but we are, as always, very interested in the security posture of any new – and potentially popular – payment platform. There isn’t a ton of research available on the security of MST or about the workings of Samsung Pay in general, so we looked to LoopPay to see what the company has had to say about its technology, which is being built into Samsung Pay.

To begin, MST works by running alternating currents through an inductive loop and generating a dynamic magnetic field that changes over a user-specified period of time. Magnetic card stripe readers — like the ones you slide your credit or debit card through — will recognize this magnetic field if your device is within three inches of the reader.

Like a traditional credit or debit card, this magnetic field contains your payment information. The field only exists while the user chooses to transmit it and the field dissipates rapidly beyond three inches, meaning an attacker would have to be incredibly close during the payment process in order to steal payment data. It’s not clear how or if this technology offers any substantive security upgrades over the traditional card-payment model. But it’s safe to presume it doesn’t.

Inside the LoopPay application, users can select if they want their device to emit that magnetic field all the time, never, for ten minutes or eight hours, or some other period of time. With LoopPay itself, there seems to have been a detachable hardware component with its own button for transmitting payment data. So, users would have to set their device to transmit payment data for a certain amount of time and then physically press a button in order to make the service work.

For Samsung, it seems the MST hardware and transmission button are all built into Samsung Pay enabled devices. We reached out to Samsung for confirmation, but the company isn’t saying much about their forthcoming payments platform.

However, in a press release, Samsung explained that users will only need to swipe upward from the bottom of the screen to initiate the Samsung Pay app. They can then choose a payment method from among the cards they have stored in the Samsung Pay wallet and authenticate payments with their device’s built-in fingerprint scanner. More interestingly in terms of security, the press release also makes vague mention of how Samsung Pay will bolster security with the involvement of Samsung’s secure Knox sub-operating system.

If Samsung is not able to incorporate Chip and PIN into Samsung Pay, then they are simply forcing an outdated and insecure mode of payment into the future

It remains unclear how the coming integration of the more secure Chip and PIN technologies will impact the deployment of a technology that relies on magnetic stripe readers. LoopPay has an entire FAQ section dedicated to EMV-related questions. Their position seems to be that MST is as secure as Chip and PIN. It will be interesting to see if Samsung has different plans, especially considering the move to fully adopt Chip and PIN by the end of 2015 in the U.S.

If Samsung is not able to incorporate EMV into Samsung Pay, then they are simply forcing an outdated and insecure mode of payment into the future. Beyond that, LoopPay seems to be gambling that magnetic stripe readers are here to stay, and there is simply no way of knowing how quickly and thoroughly Chip and PIN will be adopted in the U.S. or if some other payment mechanism will emerge and disrupt the current model.

The more obvious concern is implementation. Like everything from operating systems to connected thermostats: bugs are an inevitability. We’ll have to wait for the official release in South Korea and the U.S. this summer. Once Samsung Pay is on the open market, security researchers and attackers will go bug hunting, and we’ll be here to report about it.

It’s also worth noting that Android’s open platform and 76.6 percent market-share — two of the reasons Android has been more heavily targeted by criminals — could make Samsung Pay more attractive to scammers than Apple Pay, which has been the subject of a bit of low-level fraud this month.