Skip to main content

Samsung Pay wasn’t breached in state-sponsored LoopPay hack, executives say

samsung pay first us birthday mobile payment
LoopPay — the Massachusetts-based company that Samsung acquired in February and the developer behind one of Samsung Pay’s core technologies — stores a lot of valuable data behind its virtual walls. Data so valuable, in fact, that the company’s servers were recently the target of state-sponsored hackers. The New York Times reports that as early as March, a team of government-affiliated Chinese hackers known as the Codoso Group managed to infiltrate LoopPay’s corporate network.

The apparent target of the breach was LoopPay’s technology. Unlike Apple Pay and Android Pay, LoopPay uses magnetic secure transmission (MST), a radio-based mechanism that wirelessly emulates a credit card swipe. While most tap-and-pay mobile wallets require a point-of-sale system with near-field communication (NFC) capabilities, Samsung says MST works with with “90 percent” of legacy terminals in use by U.S. retailers.

Related Videos

“Samsung Pay was not impacted and at no point was any personal payment information at risk.”

LoopPay, which became aware of the breach in late August, told the New York Times an ongoing investigation had found no evidence that the hackers accessed sensitive customer data. Will Graylin, LoopPay chief and co-general manager of Samsung Pay, told the Times that the group wasn’t able to breach the system that stores payment information. Samsung executives echoed those assurances.

“Samsung Pay was not impacted and at no point was any personal payment information at risk,” said Samsung’s chief privacy officer Darlene Cedres in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.” Samsung also said the breach won’t impact the U.S. rollout of Samsung Pay, which began a little over a month ago.

Some security analysts believe the extent of the damage may take weeks to uncover. The Codoso Group had access to LoopPay’s corporate servers for five months before a third-party company stumbled upon signs of the breach. And in an attack on Forbes perpetrated by the Codoso Group last November, later forensics revealed the presence of resilient backdoors to the news organization’s infrastructure.

LoopPay has hired two private security teams to investigate the breach. The company hasn’t notified law enforcement because it believes “no customer data or financial information had been stolen,” the Times reports.

The hack is the latest in a series of Chinese attacks on high-profile U.S. targets. A breach of the U.S. Office of Personnel Management’s (OPM) network in June affected four million state employee records, and in 2011, a Chinese state-affiliated group managed to breach the U.S. Chamber of Commerce.

Editors' Recommendations

Samsung Pay flaw could allow hackers to intercept and decode credit card info
samsung pay update masterpass galaxy s7 edge

Mobile payments may be the future. Indeed, researchers at eMarketer predict contactless payments, or transactions completed with "tap-to-pay" tech like Android Pay or Apple Pay, could grow 210 percent this year to $27.05 billion -- but that doesn't mean they're secure. Case in point: a recently discovered bug in Samsung Pay, Korean company's eponymous proprietary payments platform, theoretically allows hackers to intercept and decode credit card info.

At the Black Hat Security conference in Las Vegas last week, security analyst Salvador Mendoza demonstrated a flaw in Samsung Pay's tokenization process, the string of numbers and letters the platform randomly generates to obfuscate payment details, that could allow a hacker to "guess" at a purchaser's credit card number. Tokens could be predicted, he explained: After a specific credit or debit card is added to Samsung Pay and associated with a specific token, future tokens inexplicably become "weaker" and easier to guess.

Read more
Katy Perry’s insanely popular Twitter account just got hacked and it wasn’t pretty
katy perry chosen super bowl halftime show nfl asks performers pay play 1000509261001 2051017820001 bio biography sf

Katy Perry's 89 million Twitter followers may have been a tad bemused at what they saw when they logged into the social network earlier today.

If the profanity-laced tweets that were sent out by Perry’s account are anything to go by, it seems that the pop star’s Twitter account was hacked.

Read more
Samsung Pay may be coming to iOS devices and PCs in the form of a new app

Samsung Pay, Samsung's eponymous mobile payments platform, has so far remained firmly within the company's walled hardware garden -- it's only compatible with Samsung's Galaxy line of Android smartphones. If a report from South Korea's ETNews is any indication, though, Samsung's payment ambitions may soon become a lot more global in scope -- the company's readying a service, tentatively dubbed "Samsung Pay Mini," that'll run on third-party Android phones, iOS devices, and even PCs.

The motivation for the spin-off Pay Mini service, which could launch as early as next month, is Samsung Pay's disappointing uptake. Few Samsung Pay users are completing online transactions with the service, according to the report -- Samsung Pay represents less than 20% of online payments. One major deterrent? Its complexity, apparently. In the case of online payments, ETNews reports that the Samsung Pay payments screen doesn't always appear unprompted; using Samsung Pay, then, becomes a matter of remembering which credit or debit card you've linked to the service.

Read more