{"id":7932,"date":"2015-03-13T09:00:19","date_gmt":"2015-03-13T13:00:19","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=7932"},"modified":"2020-02-27T03:54:06","modified_gmt":"2020-02-26T16:54:06","slug":"samsung-pay-security","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/samsung-pay-security\/7932\/","title":{"rendered":"Samsung Pay: An Early Examination of Security"},"content":{"rendered":"<p>At the <a href=\"https:\/\/www.kaspersky.com.au\/blog\/mwc2015-security\/\" target=\"_blank\" rel=\"noopener\">Mobile World Congress<\/a> <a href=\"https:\/\/www.kaspersky.com.au\/blog\/best-of-mwc2015\/\" target=\"_blank\" rel=\"noopener\">in Barcelona earlier this month<\/a>, Android smartphone giant, Samsung, released its mobile payments platform, Samsung Pay. The name will almost certainly draw comparisons to Apple Pay, the mobile payments platform of Samsung\u2019s biggest competitor. However, Samsung Pay has something that <a href=\"https:\/\/www.kaspersky.com.au\/blog\/apple-pay\/\" target=\"_blank\" rel=\"noopener\">Apple Pay<\/a> does not: Magnetic Secure Transmission (MST).<\/p>\n<p>MST was actually developed by a company called LoopPay. In mid-February, Samsung quietly acquired LoopPay. While use of Apple Pay is limited to those merchants who deploy near-field-communication enabled point-of-sale terminals, the inclusion of MST means that Samsung Pay has the capacity to interface with existing mag-stripe reading point-of-sale systems. Magnetic stripe readers, of course, constitute the vast majority of payment terminals, particularly in the United States where Chip and PIN (EMV) adoption lags. That said, Samsung Pay is also reportedly NFC-ready, though the company is being tight-lipped about its new payment app.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">.@Samsungtweets is joining forces w\/ LoopPay to drive the most compelling, secure &amp; widely accepted digital wallet:<a href=\"http:\/\/t.co\/q24wjBhA4a\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/q24wjBhA4a<\/a><\/p>\n<p>\u2014 LoopPay (@LoopPay) <a href=\"https:\/\/twitter.com\/LoopPay\/status\/568431525328490496?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 19, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>We aren\u2019t particularly interested in wading into the never-ending Apple vs. Samsung argument here at the Kaspersky Daily, but we are, as always, very interested in the security posture of any new \u2013 and potentially popular \u2013 payment platform. There isn\u2019t a ton of research available on the security of MST or about the workings of Samsung Pay in general, so we looked to LoopPay to see what the company has had to say about its technology, which is being built into Samsung Pay.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>What do we know right now about #security in the yet-to-be released #SamsungPay?<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FsEY8&amp;text=What+do+we+know+right+now+about+%23security+in+the+yet-to-be+released+%23SamsungPay%3F\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>To begin, MST works by running alternating currents through an inductive loop and generating a dynamic magnetic field that changes over a user-specified period of time. Magnetic card stripe readers \u2014 like the ones you slide your credit or debit card through \u2014 will recognize this magnetic field if your device is within three inches of the reader.<\/p>\n<p>Like a traditional credit or debit card, this magnetic field contains your payment information. The field only exists while the user chooses to transmit it and the field dissipates rapidly beyond three inches, meaning an attacker would have to be incredibly close during the payment process in order to steal payment data. It\u2019s not clear how or if this technology offers any substantive security upgrades over the traditional card-payment model. But it\u2019s safe to presume it doesn\u2019t.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Samsung Pay vs. Apple Pay: There's a difference <a href=\"http:\/\/t.co\/6tDhvPaLIx\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/6tDhvPaLIx<\/a> <a href=\"http:\/\/t.co\/mi8z7d7ktu\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/mi8z7d7ktu<\/a><\/p>\n<p>\u2014 CNET (@CNET) <a href=\"https:\/\/twitter.com\/CNET\/status\/573517301544255488?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 5, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Inside the LoopPay application, users can select if they want their device to emit that magnetic field all the time, never, for ten minutes or eight hours, or some other period of time. With LoopPay itself, there seems to have been a detachable hardware component with its own button for transmitting payment data. So, users would have to set their device to transmit payment data for a certain amount of time and then physically press a button in order to make the service work.<\/p>\n<p>For Samsung, it seems the MST hardware and transmission button are all built into Samsung Pay enabled devices. We reached out to Samsung for confirmation, but the company isn\u2019t saying much about their forthcoming payments platform.<\/p>\n<p>https:\/\/twitter.com\/androidcentral\/status\/575432136490004482<\/p>\n<p>However, in a press release, Samsung explained that users will only need to swipe upward from the bottom of the screen to initiate the Samsung Pay app. They can then choose a payment method from among the cards they have stored in the Samsung Pay wallet and authenticate payments with their device\u2019s built-in fingerprint scanner. More interestingly in terms of security, the press release also makes vague mention of how Samsung Pay will bolster security with the involvement of <a href=\"https:\/\/www.kaspersky.com.au\/blog\/understanding-samsung-knox\/\" target=\"_blank\" rel=\"noopener\">Samsung\u2019s secure Knox sub-operating system<\/a>.<\/p>\n<div class=\"pullquote\">If Samsung is not able to incorporate Chip and PIN into Samsung Pay, then they are simply forcing an outdated and insecure mode of payment into the future<\/div>\n<p>It remains unclear how the coming integration of the more secure Chip and PIN technologies will impact the deployment of a technology that relies on magnetic stripe readers. LoopPay has an entire FAQ section dedicated to EMV-related questions. Their position seems to be that MST is as secure as Chip and PIN. It will be interesting to see if Samsung has different plans, especially considering the move to fully adopt Chip and PIN by the end of 2015 in the U.S.<\/p>\n<p>If Samsung is not able to incorporate EMV into Samsung Pay, then they are simply forcing an outdated and insecure mode of payment into the future. Beyond that, LoopPay seems to be gambling that magnetic stripe readers are here to stay, and there is simply no way of knowing how quickly and thoroughly Chip and PIN will be adopted in the U.S. or if some other payment mechanism will emerge and disrupt the current model.<\/p>\n<p>The more obvious concern is implementation. Like everything from operating systems to <a href=\"https:\/\/www.kaspersky.com.au\/blog\/securing-the-internet-of-things\/\" target=\"_blank\" rel=\"noopener\">connected thermostats<\/a>: bugs are an inevitability. We\u2019ll have to wait for the official release in South Korea and the U.S. this summer. Once Samsung Pay is on the open market, security researchers and attackers will go bug hunting, and we\u2019ll be here to report about it.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Do you use <a href=\"https:\/\/twitter.com\/hashtag\/ApplePay?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ApplePay<\/a>? Better watch out, it's being used to commit fraud. <a href=\"http:\/\/t.co\/LbU8ipsm7L\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/LbU8ipsm7L<\/a><\/p>\n<p>\u2014 eWeek (@eWEEKNews) <a href=\"https:\/\/twitter.com\/eWEEKNews\/status\/575359033302888449?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 10, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>It\u2019s also worth noting that Android\u2019s open platform and <a href=\"http:\/\/www.idc.com\/prodserv\/smartphone-os-market-share.jsp\" target=\"_blank\" rel=\"noopener nofollow\">76.6 percent market-share<\/a> \u2014 two of the reasons Android has been more heavily targeted by criminals \u2014 could make Samsung Pay more attractive to scammers than Apple Pay, which has been the subject of a bit of low-level fraud this month.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Samsung Pay is set to come out in South Korea and the U.S. this summer. The company isn&#8217;t saying much, but we tried to find out what we could about security on the platform<\/p>\n","protected":false},"author":42,"featured_media":7938,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2646],"tags":[105,820,1015,1012,1014,821,457,1013,97],"class_list":{"0":"post-7932","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-android","10":"tag-apple-pay","11":"tag-looppay","12":"tag-mobile-payment","13":"tag-mst","14":"tag-nfc","15":"tag-samsung","16":"tag-samsung-pay","17":"tag-security-2"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/samsung-pay-security\/7932\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/samsung-pay-security\/4711\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/samsung-pay-security\/5220\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/samsung-pay-security\/7229\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/samsung-pay-security\/7932\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/samsung-pay-security\/7064\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/samsung-pay-security\/7229\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/samsung-pay-security\/7932\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/7932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=7932"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/7932\/revisions"}],"predecessor-version":[{"id":26663,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/7932\/revisions\/26663"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/7938"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=7932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=7932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=7932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}