Samsung Pay isolated from LoopPay attack

Samsung’s mobile payments system is not affected by a cyber breach at US subsidiary LoopPay, according to the South Korean firm.

LoopPay developed key technology for Samsung Pay, but the payment system is operated by Samsung’s mobile division and not on the same network as LoopPay.

This means the hackers who compromised LoopPay’s computer systems had no access to Samsung Pay’s user data or other core information, Samsung said.

LoopPay was targeted by a group of government-affiliated Chinese hackers, according to the New York Times.

The hackers, known as the Codoso Group or Sunshock Group, are believed to have breached the LoopPay computer network as far back as March 2015, but the breach was only discovered five months later.

The hackers are believed to have been after LoopPay’s magnetic secure transmission technology, which is a key component of the Samsung Pay mobile payment wallet.

However, the compromised LoopPay servers reportedly did not contain any commercially sensitive information.

The LoopPay technology enables Samsung Pay to work with the magnetic-stripe card readers used by many retailers, unlike its mobile payment competitors, such as Apple Pay.

“The LoopPay breach underlines that no one is free from breach risk,” said Mark Bower, global director of product management and enterprise data security at Hewlett-Packard Data Security.

“If you store, process and collect sensitive data – especially payments and personal data – your business is on the radar of attackers, period,” he said. 

Forensics can be a powerful tool to discover the extent of a breach, but by then the data is long gone, said Bower.

“Any company today has to assume a breach will happen and take more advanced threat mitigation measures,” he said.

According to Bower, the payments business has learned the lesson and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides.

“The best-in-class businesses secure the data itself, not just the infrastructure, securing billions of transactions representing trillions of dollars in value with new technologies, such as format-preserving encryption and stateless tokenisation,” he said. 

This means organisations adopting this approach do not keep live data where it can be stolen.

“This is a huge shift from older perimeter or disk and database encryption approaches, which simply can’t withstand advanced attacks such as those reported in this case,” said Bower.