Eavesdropping of Magnetic Secure Transmission Signals and Its Security Implications for a Mobile Payment Protocol

Magnetic secure transmission (MST) is a technology that emulates the action of swiping a magstripe card in a card reader in that it artificially generates the magnetic signal produced when a card is swiped. MST provides extremely high backward compatibility, i.e., mobile payment using an MST device is possible through most conventional magstripe readers. However, MST devices transmit magnetic signals to a remote magstripe card reader. Hence, it is possible to eavesdrop on such signals. We developed a device that can remotely eavesdrop on magnetic signals emitted by MST devices. Thus, we could obtain the one-time payment token contained in such signals at a maximum distance of 2.7 m. We successfully performed a wormhole attack against Samsung Pay, a widely used MST-based mobile payment service, and we were able to execute payment a few kilometers from where the eavesdropped one-time token was actually created.