Samsung Pay is supposed to be a safe and easy way to make credit card payments with your smartphone, but one researcher says he’s found a way to hack the mobile payments app. A series of YouTube videos by Salvador Mendoza demonstrate how cyber criminals could exploit a security flaw in Samsung Pay.
The main issue seems to be Samsung’s tokenization process, which encrypts your credit card information for each payment but appears to have some major flaws. Mendoza notes that the software creates a new token each time you use Samsung Pay. If the token isn’t actually used for a payment it’s still valid for 24 hours. Hackers could potentially use a high-tech skimmer to intercept your token and use it for another payment instead.
Mendoza demonstrates how this could work with a special MagSpoof device that replicates Samsung Pay’s technology. After grabbing a new token from his Galaxy S6 he uses the gadget to make a purchase at a nearby vending machine. In another video, he even sends a token to a friend in Mexico and it still seems to work.
Another issue with Samsung Pay is that each new token apparently gets easier to predict. Mendoza claims that hackers could guess future tokens and use them to charge purchases to your credit card.
Samsung has denied Mendoza’s findings and argues that Samsung Pay is extremely safe to use. The company told ZDNet that it would “investigate and resolve” any security issues, but didn’t confirm if it was working on a fix for this specific flaw.
We reached out to Samsung for further clarification and we’ll update this post if we receive a response.
Update: Samsung has responded with the following statement.
Recent reports implying that Samsung Pay is flawed are simply not true. Samsung Pay uses a multi-layer security system that works in tandem with the security systems of our partners to detect any emerging threats. Samsung Pay is safe, secure and consumers can be assured that there is no risk associated to using our payment service.