Samsung Pay works kind of like bank card chips: slide a phone over a reader synced up to the service and it broadcasts a "token" number inspired by but not exactly like that of the linked financial account. Unlike a magnetic strip on the back of your typical bank plastic, which delivers exactly the sixteen digits on the front and therefore can be reused infinitely, these "tokenized" systems are only created for that single transaction.

Of course, the account and "token" numbers have to be linked somehow, or systems wouldn't know where to charge purchases. That's where the algorithm comes in, a formula that generates new temporary numbers that is, users trust, too complex for hackers to crack. In his paper, Black Hat researcher Salvador Mendoza lays out how he believes this system works, including how the one-time "tokens" are generated, and lays out three scenarios for hackers to break into that algorithm: use a magnetic card spoofer to generate tokens, jam a transaction to force another temporary code to be generated while the hacker uses the first and use a social engineering tool to capture tokens and transmit them by email.

Naturally, Samsung denies that its algorithm works how Mendoza described it. Its security blog post points to a technology FAQ illustrating how its system protects against hackers: first, with its Knox software-and-hardware identity verification, and second, with TrustZone processor architecture built specifically to run sensitive processes separately from typical ones.

The FAQ doesn't say that some of these methods, like jamming the signal and "skimming" unused tokens, is impossible, just extremely unlikely. To work, it would have to meet several requirements: the hacker would have to be physically near the purchase and jam the user before approving it. Even then, the Samsung Pay user would be alerted when the scammer used the token. This is a known issue, the FAQ notes, but given that every purchase runs through both the tech giant's and the bank's fraud analysis algorithm, they deemed it extremely unlikely and therefore acceptable.

Update: Samsung has issued a statement, included below: