Samsung has confirmed its Pay service has a security issue that means hackers could spend money from your account, but it's "extremely unlikely" to ever happen.
Samsung Pay translates your credit card information into a "token" to ensure your details won't be stolen in the transaction process, but hackers are theoretically able to take it in a skimming attack and use it themselves.
However, the Samsung Security Blog has admitted while it would be possible, the conditions to achieve this would be rare: "In order for this "token skimming" to work, multiple difficult conditions must be met. First the user must permit the token and cryptogram generation with his or her own authentication method.
"This pair of token and cryptogram (also known as a "payment signal") must be transmitted to the POS for each transaction and cannot be used for multiple transactions.
"Then the fraudster needs to capture the signal on a device that is within very close proximity to the Samsung phone."
Magnetic Secure Transmission – one of the pieces of tech used by Samsung Pay to make payments – only works at short ranges, much like NFC.
What would it take?
Salvador Mendoza - who pointed out the Samsung Pay vulnerability - notes someone would be able to pose as a Samsung employee and pretend to teach customers how the service works, all the while carrying out the skimming attack.
The hacker would also need to block the transmission between the phone and the card issuer though, or use the token very quickly afterward before the details go through.
The blog post finishes, "In summary, Samsung Pay's multiple layers of security make it extremely difficult to make a purchase by skimming a token."
It also highlighted that the user's phone would be sent an alert of any payment, so anyone exposed to the fraud would instantly be able to see an erroneous transaction.
Even though there is a security risk here, Samsung is certain its security is high enough to make the scenario almost impossible to recreate.
