Samsung Pay, like Android Pay and Apple Pay, is a mobile payment solution designed to let you make purchases using nothing but your phone. The Samsung Pay application saves your credit card information and securely turns the information into tokens that can only be used one time. But, that process may not be as secure as you thought.
At a Black Hat talk in Las Vegas, security researcher Salvador Mendoza presented evidence that the tokenization process that Samsung uses can be predicted. Mendoza says that once the first token is generated for a specific card within Samsung Pay, it becomes easier to predict future tokens due to the limited nature of sequencing being done. To demonstrate this process, Mendoza provided a friend in Mexico with a token who was then able to use that token and a magnetic spoofing tool to make a Samsung Pay purchase despite the service not having launched in Mexico yet.
Samsung hasn’t yet commented on the matter but issued a statement saying, “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.” Check out Mendoza’s video below to watch the process take place.