Samsung Pay:
Tokenized Numbers,
Flaws and Issues
Salvador Mendoza
Twitter: @Netxing
Blog: salmg.net
Who am I?
● Security researcher
● From California, USA
● Mexican(Bad hombre)
@Netxing
Terminology
● NFC: Near Field Communication
● MST: Magnetic Secure Transmission
● VTS: Visa Token Service
● Tokenized Numbers: Surrogated value = Token
● Token: A voucher
● TSP: Token Service Provider
● PAN: Primary Account Number
@Netxing
What is Samsung Pay?
● New app for digital
payments
● Similar to Apple Pay
or Android Pay
● Big difference: MST
protocol
@Netxing
What is MST?
● It is a magnetic field
● The terminal interprets
the electromagnetic
waves like a swiping of
a physical card
● Without security or
encryption because it is
a transmission of one
way
@Netxing
Analyzing Tokenized Numbers (Token)
@Netxing
%4012300001234567^21041010647020079616?;4012300001234567^21041010
647020079616?~4012300001234567^21041010647020079616?
% = Start sentinel for first track
^ = Separator
? = End sentinel for every track
; = Start sentinel for second track
~ = Start sentinel for third track
A tokenized number follows exactly the same format of American Banking
Association (ABA/IATA); emulating perfectly a physical swiping card.
http://www.samsung.com/hk_en/business-images/insights/2015/Samsung_Pay_Will_Transform_the_Mobile_Wallet_Experience-0.pdf
Analyzing a Track
Second track = ;4012300001234567^21041010647020079616?
The last 20 digits are the token’s heart: 21041010647020079616
2104-101-0647020079
616
Token’s heart.
21/04
101
New expiration Service code:
date.
1: Available for
international
interchange.
0: Transactions are
authorized
following the
normal rules.
1: No restrictions.
064702-0079-616
064702: It handles transaction’s
range/CVV role.
0079: Transaction’s id, increase
+1 in each transaction.
616: Random numbers, to fill ABA
format, generated from a
cryptogram/array method.
@Netxing
Offline/online mode
Without internet; did not change the middle counter
%4012300001234567^2104101082000(constant)0216242?
%4012300001234567^21041010820000217826?
%4012300001234567^21041010820000218380?
[…]
With internet, the middle counter increased +1:
%4012300001234567^21041010820000233969?
%4012300001234567^21041010820000234196?
%4012300001234567^21041010820010235585? ← +1
@Netxing
Offline mode
@Netxing
Token Phases
●Active: Normal status after generated.
●Pending: Waiting for TSP’s response.
●Disposed: Destroyed token.
●Enrolled: Registered token.
●Expired: Became invalid after period of time.
●Suspended_provision: Valid PAN, requesting more info.
●Suspended: VST will decline the transaction with a
suspended token.
@Netxing
Updating Token Status
//SAMPLE REQUEST URL
https://sandbox.api.visa.com/vts/provisionedTokens/{vProvisionedToken
ID}/suspend?apikey={apikey}
// Header
content-type: application/jsonx-pay-token: {generated from request data}
// Body
{
"updateReason": {
"reasonCode": "CUSTOMER_CONFIRMED",
"reasonDesc": "Customer called"
}
}
// SAMPLE RESPONSE
@Netxing
// Body
{}
Source: Visa Developer Center
Files Structure
Databases > 20
Directories/files
vasdata.db, suggestions.db, mc_enc.db
/system/csc/sales_code.dat, SPayLogs/
spay.db, spayEuFw.db, PlccCardData_enc.db
B1.dat, B2.dat, pf.log, /dev/mst_ctrl
membership.db, image_disk_cache.db,
loyaltyData.db
/efs/prov_data/plcc_pay/plcc_pay_enc.dat
transit.db, GiftCardData.db, personalcard.db
/efs/prov_data/plcc_pay/plcc_pay_sign.dat
CERT.db, MyAddressInfoDB.db, serverCertData.db
/sdcard/dstk/conf/rootcaoper.der
gtm_urls.db, statistics.db, mc_enc.db
/efs/pfw_data, /efs/prov_data/pfw_data
spayfw_enc.db, collector_enc.db, cbp_jan_enc.db
/sys/class/mstldo/mst_drv/transmit… many more
@Netxing
cbp_jan_enc.db
CREATE TABLE tbl_enhanced_token_info (_id INTEGER PRIMARY KEY
AUTOINCREMENT, vPanEnrollmentID TEXT, vProvisionedTokenID
TEXT, token_requester_id TEXT, encryption_metadata TEXT, tokenStatus
TEXT, payment_instrument_last4 TEXT,
payment_instrument_expiration_month TEXT,
payment_instrument_expiration_year TEXT, token_expirationDate_month
TEXT, token_expirationDate_year TEXT, appPrgrmID TEXT, static_params
...
https://sandbox.api.visa.com/vts/provisionedTokens/{vProvi
sionedTokenID}/suspend?apikey={apikey}
@Netxing
Flaws and Issues
● paramString = LFWrapper.encrypt("OverseaMstSeq", paramString);
● bool1 = b.edit().putString(paramString,
LFWrapper.encrypt("PropertyUtil", null)).commit();
● String str = LFWrapper.encrypt("tui_lfw_seed",
@Netxing
Integer.toString(paramInt));
Encrypt/Decrypt Functions
@Netxing
Flaws and Issues
● Token expiration date is in blank.
● ivdRetryExpiryTime implements timestamp format.
● If Samsung Pay generated a token, but it is not used
to make a purchase, that token is still active/alive.
@Netxing
Flaws and Issues
Adding/deleting the same card.
● %4059557240050212^22111014803010255698?
Deleted
● %4059557240056045^22111014804000001352?
Deleted
● %4059557240056052^22111014804000001457?
● %4059557240056052^22111014848010007855?
Deleted
● %4059557240056557^22111014902000001888?
● %4059557240056557^22111014902000002230?
@Netxing
Attacks
Dangerous scenarios:
● Social engineering
● Jamming MST signal
● International Tokens
● Attack in Real-Time (MagSpoofPI)
● Attacking the NFC Protocol
● Guessing the next token?
@Netxing
Social Engineering(TokenGet)
@Netxing
Social Engineering(TokenGet)
@Netxing
Social Engineering(TokenGet)
TokenGet:
● Raspberry Pi Zero
● Lipo 3.7 V
● PowerBoost 1000
● Credit Card reader one head
● USB adapters
● USB WIFI dongle
● Mini OTG USB
● Cell phone armband
https://www.youtube.com/watch?v=QMR2JiH_ymU
@Netxing
MagSpoof + CC Reader + Raspberry Pi =
JamSpay
+
+
@Netxing
JamSpay
● Pin 7(GPIO04) connected
to a 10K resistor. The other
resistor’s end to GND.
● Raspberry Pi GND to
Attiny’ GND and Raspberry
DC power 3.3 to Attiny’s
@Netxing
JamSpay
●
●
●
●
●
●
●
●
Raspberry Pi Zero
Lipo 5 V
Credit Card reader one head
MagSpoof
USB adapters
USB WIFI dongle
Mini OTG USB
Mini-box
https://www.youtube.com/watch?v=ytV7xNJP1o8
@Netxing
@Netxing
International Samsung Pay
Tokens
https://www.youtube.com/watch?v=EphR18sSjgA
Thanks @Sabasacustico
@Netxing
Attack in Real-time
MagSpoof + Raspberry Pi = MagSpoofPI
● Raspberry Pi 3
● Lipo 3.7 V
● PowerBoost 1000
● USB cable
● MagSpoof
Details about this project:
https://salmg.net/2016/08/27/magspoofpi/
https://www.youtube.com/watch?v=zuDdb3XSupE
@Netxing
Attacking NFC Protocol
@Netxing
How Samsung Pay implements two
different tokens per transaction?
@Netxing
Two tokens for one transaction
MST:
%4012300001234567^21041010820000216242?[…]
NFC:
%4012300001234567^21042010820000217969?[...]
@Netxing
Secure Element at NFC
@Netxing
Analyzing the NFC tags
ATS:
...
77 66 9F 26 08 35 56 96 3E DB 9E D7 8A 94 04 08 03 03 00 82 02 00 40 9F 36 02 00 50
9F 6C 02 01 80 9F 6E 04 23 8C 00 00 9F 10 20 1F 43 01 00 20 00 00 00 00 00 00 00 00 06
68 17 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 13 XX XX D2 21 12 01 68 17
01 00 80 44 3F 5F 34 01 00 9F 27 01 80 90 00
80 CA 9F 17 00
69 85
80 CA 9F 36 00
69 85
@Netxing
...
Attacking Samsung Pay NFC PoC
https://www.youtube.com/watch?v=cD97Bey_2yA
@Netxing
Guessing a Token?
@Netxing
How did Samsung Pay
fix everything?
@Netxing
Other Researchers
https://www.youtube.com/channel/UCZ9ZK4Pv5YNObhP53eCz1g
@Netxing
Beta Project: SamyKam
Services:
●
●
●
●
Web server
Bluetooth service
OLED/Rotary Encoder
MagSpoofPI
Library(avr-gcc code
integration)
More details: salmg.net
https://www.youtube.com/watch?v=zp8G1WKreXA
@Netxing
Take-Away
● Samsung Pay has some levels of security, but it is a fact that
could be a target for malicious attacks.
● Samsung Pay has some limitations in the tokenization
process which could affect customers’ security.
● Finally, tokens generated by Samsung Pay could be used in
another hardware.
@Netxing
Questions?
Salvador Mendoza
Twitter: @Netxing
Blog: salmg.net
[email protected]
Greetz, Hugs & Stuff
Samy Kamkar (@samykamkar)
Andres Sabas (@Sabasacustico)
Pedro Joaquin (@_hkm)
Luis Colunga (@sinnet3000)
RMHT (raza-mexicana.org)
Los Razos
GDG modesto group
Thank you Troopers!
Happy Anniversary!
Salvador Mendoza
Twitter: @Netxing
Blog: salmg.net
[email protected]
© Copyright 2026 Paperzz
