A security researcher has discovered limitations in Samsung Pay's security, which, if exploited by an attacker, could be used in another phone to allow someone else to fraudulently make payments.

The magnetic-based contactless payment system, which comes standard in many newer Samsung phones, works by translating credit card data into tokens so that a hacker can't grab credit card numbers from the device. But those tokens aren't as secure as one might hope. Expert explained that the tokenization process gets weaker after the app generates the first token from a specific card, meaning that there's a greater chance that future tokens could be predicted.

Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.

As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.