Chinese hackers breach LoopPay

Hackers affiliated with the Chinese government have breached the computer network of the mobile wallet outfit at the centre of Samsung Pay, according to the New York Times.

As far back as March, the Codoso Group hackers managed to penetrate the systems of LoopPay, a US startup acquired by South Korean electronics giant Samsung for more than $250 million at the beginning of this year, says the Times, citing sources.

The hack, confirmed by LoopPay and Samsung executives, appears to have targeted LoopPay's magnetic secure transmission (MST) technology, which turns existing mag-stripe readers into contactless receivers.

The MST technology was seen as a major factor in Samsung's acquisition of LoopPay, giving it an advantage over rivals Apple and Google in the mobile wallet battle by making the service available at more locations.

Samsung Pay launched in the US last week, a month after arriving in Korea, where it has notched an impressive $30 million in transactions since debut. More countries are slated to follow in the next few months.

Will Graylin, LoopPay chief executive and co-general manager of Samsung Pay, says that an investigation appears to show that although the hackers accessed corporate networks, they did not get into the production system and that customer data does not seem to have been compromised.

Channels

Retail banking Security Payments

Keywords

Mobile & online banking

Comments: (1)

Stephen Wilson - Lockstep Consulting - Sydney 15 October, 2015, 08:41

Be the first to give this comment the thumbs up

0 likes

It's not quite clear what's going on here. One part of the story suggests that LoopPay's "magnetic secure transmission (MST) technology" was compromised, which might mean card data could be spoofed and fraudulent transactions created. But in another part of the story, LoopPay management refers only to their corporate network being breached.

If there is any possibility of LoopPay transactions being compromised, then it's time to review the legitimacy of this type of product. There has been a wave of innovative technologies in the past three years that exist to squeeze a bit more life out of obsolete mag stripe systems. LoopPay bombards a magstripe card reader with pulsating magnetic fields that simulate the induction pattern of a card as it is swiped. Competing approaches Plastc and Coin simulate a ferrite tape with a programmable magnetic transducer. In all these cases, the card scheme branded plactic card is being replaced by a clever gadget.

But here's the thing. Read the merchant services agreement of Visa or MasterCard and you'll find black-and-white clauses that say the merchant must only accept cards that exhibit the trademarks, holograms and other tamper resistance measures of the scheme. If the merchant doesn't check, and if a Card Present transaction goes bad, then the merchant can be liable for the charge-back.

When these card simulating gadgets work well, it seems everyone is happy to turn a blind eye. But when they start going bad at the hands of criminals, you have to think at some point the card companies will step in and enforce the rules. That's what the rules are for. These stop-gap gadgets offer to delay the inevitable shift to EMV, but EMV exists for a reason: it's much much harder to spoof a chip than a magnetic stripe.

The crazy thing about LoopPay, Coin and Plastc is they actually exploit the very weaknesses that EMV shuts off. These gadgets are themselves cases of hacking! Their legitimacy in my mind has always been dubious.