Mobile payment system has been expected to provide more efficient and convenient payment methods. However, compared to traditional payments, the issues of mobile payment related to the security of electronic accounts and payment apps present serious challenges. In this paper, we find the potential security risks by analyzing the commonly used tokenized mobile payment method and put forward the corresponding off-site attack strategy. In this scenario, the attackers are not only limited to malicious third parties but also can be illegal merchants. To address the off-site attack, especially the potential attackers who may be malicious merchants, we also propose SALP, a secure and authenticated payment protocol. We conduct case studies to demonstrate that the SALP can effectively prevent the off-site payment attack without a trusted hardware environment. In particular, we finally argue that SALP does not bring additional system overhead without degrading the convenience of mobile payment.