Hackers who targeted Samsung Pay may be looking to track individuals

The security breach at Samsung subsidiary LoopPay was probably more about spying than about gathering consumer data for profit, and the worst could be yet to come, a security analyst said Wednesday. 

Samsung acknowledged the attack on LoopPay, which it acquired in February for technology that it uses in its Samsung Pay service. It said hackers only breached LoopPay’s office network, not systems used by Samsung Pay. The affected servers have been isolated and no personal payment information was put at risk, according to Samsung.

However, if the breach was carried out by the notorious Codoso Group in China, as The New York Times reported, it probably wasn’t intended to steal consumer data for sale, said Ken Westin, a senior security analyst at threat-detection software company TripWire. 

The Codoso Group has been linked to large-scale attacks on major defense, finance and other organizations, including websites related to the Uyghur minority in China. It allegedly is affiliated with the government of China. 

The hackers probably wanted access to LoopPay’s code, possibly to develop the capability to collect information on individuals, Westin said. 

Alex Holden, CEO of the consultancy Hold Security, agreed. Codoso may have ultimately wanted to know “who bought what, when,” he said. For example, if an important individual made a purchase at a coffee shop in Los Angeles, an infiltrator could learn something about that person’s travels.

And while LoopPay may have worked out the details of this particular breach, it’s probably facing what security researchers call an advanced persistent threat, he said. That kind of attacker keeps coming back and probing different parts of a company’s infrastructure looking for weaknesses and laying the groundwork for future infiltrations. Samsung should be worried, Westin said. 

However, the attack shouldn’t prevent consumers from using Samsung Pay, Westin said. 

“I would be cautious, as you should be with any new sort of payment service, but I don’t think this is a reason not to use the service at this time,” he said.

LoopPay’s network was breached in February, shortly before Samsung bought the Massachusetts startup for US$250 million, the Times said. The hackers were in the network for about five months before LoopPay discovered the breach in late August, when an organization tracking the Codoso Group found LoopPay’s data. 

That shows the startup may have had strong intrusion prevention tools but weak detection capabilities, Westin said. The most sophisticated hackers don’t even use identifiable malware but but exploit components within a company’s own systems, like Powershell on Windows. “For a lot of businesses, this is a big challenge now,” he said.

Samsung Pay is the latest platform for wirelessly buying things with a mobile device by holding it up to a point-of-sale system. Like Apple Pay, it’s designed to be more secure than traditional credit cards because each payment doesn’t use the same card number. Instead, the system uses an encrypted token and certificate information that can only be used once, according to Samsung.

Samsung acquired LoopPay for a technology it developed, Magnetic Secure Transmission, that lets a mobile device emulate a magnetic stripe card. That helps Samsung Pay work with older payment systems.