LoopPay hackers may have wanted magnetic card-swipe tech
Backwards-compatible feature used for old cash registers
Samsung’s mobile payment system supplier, LoopPay, was hacked back in March this year, it has emerged.
The breach - blamed on a Chinese hacking crew - at the Samsung subsidiary was only discovered in August. Investigators reckon hackers from the so-called Codoso Group were after information to do with the magnetic secure transmission (MST) developed by LoopPay that forms a key part of the Samsung Pay mobile payment service.
MST emulates commonly used magnetic stripe cards so that Samsung Pay can be used with older cash registers, a backwards compatibility advantage for Samsung Pay compared to systems such as Apple Pay, which rely on the latest point-of-sale-terminals to work.
Hackers broke into LoopPay’s corporate network, but not the production system that help manage payments, Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay told the New York Times. The breach only came to light after a security intelligence firm tracking the Codoso (AKA Sunshock) Group in a separate investigation found LoopPay data before tipping off the mobile payments developer about a potential problem.
The breach dates from a month after Samsung acquired Burlington, Mass-based LoopPay in February (pdf). News of the breach broke late on Wednesday, thus a week after Samsung Pay launched in the US, just about the worst possible timing for the electronics giant. Samsung is keen to downplay the impact of the attack, stressing that customer payment information was handled by a separate system unaffected by the breach. Samsung Pay débuted in South Korea last month.
“Samsung Pay was not impacted and at no point was any personal payment information at risk,” Darlene Cedres, Samsung’s chief privacy officer, said in a statement the NYT reports. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”
Intrusions that remain undetected for months have been a consistent feature of recent high profile attacks, particular those linked to APT-style hackers such as the Codoso Group.
Haiyan Song, SVP of Security Markets at Big Data vendor Splunk, commented: "Time and again, we see attackers able to lurk undetected in organisations' networks for several months. Today’s news reinforces the need to utilise data science and machine learning for automated analysis and fast access to forensic data to detect these low and slow breaches.
“Our best defence and means for minimising impact on business is differentiating between normal and abnormal activities. When companies analyse user behaviour and know normal activity patterns, they can quickly spot the potentially threatening behaviour and ultimately contain the impact of a breach,” she added. ®