Samsung Pay launched at its own risk in Russia - expert opinions

Photo: Reuters

Today, September 29, 2016, the Samsung Pay payment service, designed for contactless payment for goods and services, starts work in Russia. Until the end of the year, it will be available for owners of Galaxy series smartphones, released no earlier than 2016. For now, Samsung Pay can only be used by MasterCard owners.

A year ago, Samsung Pay was successfully launched in the United States. But do not forget that there contactless payments are much more common than in Russia. This was largely due to Apple’s main competitor in the market. It will not be a surprise to anyone that there is still a large percentage of cash payments in the territory of the Russian Federation - people in certain cities still receive their salaries, mainly with envelopes in accounting.
')
Apart from the fact that contactless payments are a progressive technology, it is still considered the safest. At least, sure representatives of Samsung Pay. The company promises that payments will be completely safe. But what is behind these promises? What makes this happen?

In August, researcher Salvador Mendoza (Salvador Mendoza) spoke at a Black Hat conference with a report in which he spoke about the security problems of Samsung Pay. However, the company claims that the findings of Mendoza are erroneous, and security is all right.

The Mendoza report on the Samsung Pay study focuses on the generation and use of tokens for authorization and transaction execution.

Token is a digital value randomly generated by the payment system when the card is activated.

The researcher said that attackers can predict what the next token will be based on previous tokens already generated by the application.

In addition, Mendoza claims that Samsung Pay tokens “live” for at least 24 hours, even if the user did not use them, and also if the user has already generated other tokens. An attacker can extract and use such tokens independently.

The message on the Samsung website says : "Securing your payment information is a top priority for Samsung Pay, so the developers of the service provided for the presence of high-tech security elements."

Representatives of the company claim that Samsung Pay does not use the algorithm described in the Black Hat presentation to encrypt payment information and generate cryptograms.

Moreover, the use of tokens and fingerprint authentication is considered an advantage by Samsung Pay developers.

We asked the experts to speak not only about security, but about the prospects for Samsung Pay on the Russian market.

Evgeni Vildyaev, Mobile-Review.com

1. In your opinion, what are the prospects for the introduction of contactless payment methods in Russia and how much time is required for the masses to adopt this technology?

Contactless payments are an image story rather than a really important function. The fact is that to pay with a smartphone, you need to get it, unlock it, unlock the application for payment, and only then bring it to the terminal. It is much easier to take a bank card and insert it into the same terminal (or attach, if we are talking about cards with PayPass / PayWave).

2. Samsung Pay is just one of the products of the competing application layer. In your opinion, who has more chances to seize the market: plastic issuers (Visa, Mastercard) or holders of hardware complexes (Samsung, Apple)?

I bet on VISA and MC, because Apple’s smartphone is today from Apple, tomorrow from Samsung, the day after tomorrow - anyone else. It is important that there is a convenient cross-platform application and do not need to think about whether it will work or not.

It seems to me more correct option when the bank integrates the possibility of payment from the phone into your banking application. And it just becomes a nice cherry on the cake in addition to the rest of the functions. That is, in the case of Android, this is support in the native application, in the case of iOS, work with Apple Pay.

3. Finally, what do you think about the safety and security of contactless payments? Is the emergence of groups of intruders, “earning” on the imperfection of these technologies or flaws in the software and hardware complex, exactly in Russia?

Everything directly depends on the attentiveness and vigilance of the users themselves. In fact, payment requires double fingerprint authentication, copying is not so easy. But the unlocking PIN-code of the smartphone will definitely be a weak point, so you just need to be careful and not “shine” your password in public places.

Philip Shubin, COO developer of the Wallet app, CardsMobile

1. In your opinion, what are the prospects for the introduction of contactless payment methods in Russia and how much time is required for the masses to adopt this technology?

Contactless payments in Russia have been developing since 2013, when our application became the first application for payments by the touch of a smartphone. But the development of this payment method so far slows down the development of infrastructure: as of the end of 2016, 25% of bank terminals in the country are able to accept payment by contactless in Russia.

But every year the percentage of devices accepting this method of payment is growing, and by 2020, contactless payment will work on all terminals in the country.

The launch of Samsung Pay in Russia, of course, will spur the development of the sphere. But for the development of mobile contactless payments, it is much more important to start working in Russia to service the tokenization of MasterCard payment cards, which will allow the mass “transfer” to smartphones the issued cards of Russian issuing banks.

2. Samsung Pay is one of the products of the competing application layer. In your opinion, who has more chances to seize the market: plastic issuers (Visa, Mastercard) or holders of hardware complexes (Samsung, Apple)?

When discussing solutions for contactless mobile payments, payment systems and vendors cannot be opposed. Mobile solutions work using technologies that the payment systems themselves are developing: first, cloud payment technology from MasterCard and Visa, and now tokenization technology. Therefore, payment systems also actively stimulate the development of mobile payment solutions, which allows us to hope for an early rejection of plastic.

3. Finally, what do you think about the safety and security of contactless payments? Is the emergence of groups of intruders, “earning” on the imperfection of these technologies or flaws in the software and hardware complex, exactly in Russia?

A terrible story about an attacker who will be on the subway with a bank terminal and withdraw money from your contactless bank card is a myth. For this, the fraudster needs at least a real registered bank terminal, which transfers money from the card to the bank account of a natural or legal person - and the fraudster will not be able to withdraw money from him without legal consequences.

Payment systems together with banks are working to ensure maximum security of cards and payments on them. Security is provided at the level of terminal software, carriers, appropriate licensing and legal schemes.

Today, if a user does not write a pin-code on his card or does not dictate his CVC and one-time password from SMS, intruders have almost no chance to receive money from a bank card.

When talking about payments by smartphone, we do not get tired to assure our existing and potential users that this is perhaps even a safer way to pay for purchases than payment by bank card. You control your smartphone and rarely release it. But if you do not trust secure technologies of cloud payments and tokenization, you can always set a password to enter the payment application or even a one-time password for each payment using a mobile bank card.

Alexander Baulin, IT and high-tech technology expert

1. In your opinion, what are the prospects for the introduction of contactless payment methods in Russia and how much time is required for the masses to adopt this technology?

Contactless technology is well established in Russia. At least they are used by large networks such as Starbucks. And also begins to be used on transport (I know for sure about the payment in Moscow and St. Petersburg).

2. Samsung Pay is one of the products of the competing application layer. In your opinion, who has more chances to seize the market: plastic issuers (Visa, Mastercard) or holders of hardware complexes (Samsung, Apple)?

I think in Russia there are more chances for plastic issuers, they are already quite common. Apple has yet to convince Russian dealers to widely introduce support for their technology. But Samsung users, despite the wide distribution of their smartphones, are less active in using paid services and making purchases (applications, for example). I assume that they will use the new payment method less actively than Apple users and, accordingly, less frequently than owners of plastic cards with an NFC chip.

3. Finally, what do you think about the safety and security of contactless payments? Is the emergence of groups of intruders, “earning” on the imperfection of these technologies or flaws in the software and hardware complex, exactly in Russia?

This is possible in any country. Including in Russia. The small number of users will be compensated by the fact that the “hunt” can be conducted in places of large concentrations of potential victims - on the footclubs of large shopping centers. Another thing is that there have not yet been mass hacking of wireless technologies (alarming photos without proofs are not taken into account), which means that by default we cannot consider it dangerous.

Perhaps this is the case when a foil cap will help. From it you need to tailor the card case. With a smartphone will be more difficult, the signal of the cellular network must pass to the antennas.

Natalya Karpova, Samsung Pay Project Manager at Alfa Bank

1. In your opinion, what are the prospects for the introduction of contactless payment methods in Russia and how much time is required for the masses to adopt this technology?

The emergence of Samsung Pay is the emergence of another payment method, the main advantage of which is the ability to pay for a product or service using the phone, forgetting about plastic. In modern realities, having a phone at hand is sometimes more important than having a wallet.

2. Samsung Pay is one of the products of the competing application layer. In your opinion, who has more chances to seize the market: plastic issuers (Visa, Mastercard) or holders of hardware complexes (Samsung, Apple)?

Contactless payment technologies are being actively developed in Russia, so Samsung Pay just replaces cards, which is a good example of the symbiosis of the bank, the payment system and the phone.

Another advantage of Samsung Pay is that it works with any terminals, that is, a person can pay using the phone even where they do not accept contactless cards (NFC).

3. Finally, what do you think about the safety and security of contactless payments? Is the emergence of groups of intruders, “earning” on the imperfection of these technologies or flaws in the software and hardware complex, exactly in Russia?

In terms of security of transfers, some problems will not appear - the tokenization mechanism provides a fairly high level of security, since it is not the card data that is transferred directly for payment, but the token itself.

Alfa-Bank, VTB24, MTS, Raiffeisenbank, Russian Standard and Yandex became partners of the payment system. Bank customers, tied their cards to this service, will be able to pay with them in retail outlets.

One of the project partners, VTB 24, believes that the popularity of the new service among the bank’s customers will grow and in 2017 the Samsung Pay turnover will exceed 1 billion rubles. Partners note a steady growth in contactless payments. According to the Russian Standard Bank's network, the share of contactless payments in terms of turnover has increased several times in recent years: from 0.5% in 2014 to 1.2% in 2015 and 2.1% in the first half of 2016.