Mobile payment services like Apple Pay and Android Pay are generally seen as safer than credit cards because of the tokenized system they use to prevent information from being stolen. It seems as though Samsung Pay, however, isn’t as safe as the rest.
According to a recent blog post from the company, it is possible for a third party to intercept tokens generated by Samsung Pay and then use those tokens to make wireless payments — effectively stealing credit card information for one payment.
“This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack,” said Samsung in the post. In other words, while an attack is possible, it’s unlikely.
As mentioned, of course, it’s not all bad. Even with this vulnerability, Samsung Pay is most definitely safer than using a credit card — even if a token is stolen, the actual credit card information remains safe. Not only that, but tokens themselves can only be used once, and only within 24 hours of them being generated, otherwise they will be rejected.
Still, as Phandroid notes, while token skimming may seem like a long process for a thief, it’s actually not that difficult — someone posing as a sales person could offer to show a user how Samsung Pay works and secure a token, if not multiple ones. Still, without literally handing your phone over to a scammer — on purpose or by accident — you’re pretty safe using a system like Samsung Pay.
Just as when you’re using a credit card, common sense rules. Do something silly, however, like let someone else pay with your phone, and you could get burned. You most certainly shouldn’t take this news as a sign to return to the humble credit card.