Samsung Pay Provider Hacked Secretly for Months

Samsung Pay provider LoopPay was hacked by suspected Chinese government-linked hackers months before it was acquired by the Korean giant, according to a new report.

The well-known group, dubbed ‘Codoso’ or ‘Sunshock’, breached the Massachusetts-based start-up back in March, several Samsung and LoopPay execs and people briefed on the investigation told the New York Times.

The goal of the hackers appears to be LoopPay’s magnetic secure transmission (MST) technology, which allows users to tap and pay with their devices. The advantage of MST is said to be that it turns legacy magnetic swipe readers—which still dominate the retail landscape in the US—into contactless readers.

LoopPay CEO and Samsung Pay co-general manager, Will Graylin, claimed the attackers broke into the corporate network but not the production system managing payments, leading them to believe that no consumer data had been put at risk.

However, the investigation is still ongoing and LoopPay didn’t even know about the incursion until August, when a firm investigating Codoso came across it.

The group is also known for achieving persistence in victim networks long after the initial attack thanks to hidden backdoors—as it did in the case of Forbes and the US Commerce Department.

Nevertheless, Samsung is putting a brave face on things, given that it only launched its contactless mobile payment platform in the US last week.

“Samsung Pay was not impacted and at no point was any personal payment information at risk,” read a statement from the Korean giant.

“This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”  

Mark Bower, global director of product management at HP Enterprise Data Security, argued that every company today must assume they’ve already been breached and take “advanced threat mitigation measures.”

“The payments business has learned the lesson hard over the years, and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides,” he added.

“Today, the best-in-class businesses secure the data itself, not just the infrastructure, securing billions of transactions representing trillions of dollars in value with new technologies like Format-Preserving Encryption and stateless tokenization.”

Haiyan Song, SVP of security markets at Splunk, argued that ongoing analysis of network activity and fast access to forensic data can help detect ‘low and slow’ breaches like this.

“Our best defense and means for minimizing impact on business is differentiating between normal and abnormal activities,” she added.

“When companies analyze user behavior and know normal activity patterns, they can quickly spot the potentially threatening behavior and ultimately contain the impact of a breach.”

What’s Hot on Infosecurity Magazine?