Hackers who targeted Samsung Pay may be looking to track individuals

The hackers who allegedly broke into the Samsung subsidiary are spies more than profiteers

The security breach at Samsung subsidiary LoopPay was probably more about spying than about gathering consumer data for profit, and the worst could be yet to come, a security analyst said Wednesday.

Samsung acknowledged the attack on LoopPay, which it acquired in February for technology that it uses in its Samsung Pay service. It said hackers only breached LoopPay's office network, not systems used by Samsung Pay. The affected servers have been isolated and no personal payment information was put at risk, according to Samsung.

However, if the breach was carried out by the notorious Codoso Group in China, as The New York Times reported, it probably wasn't intended to steal consumer data for sale, said Ken Westin, a senior security analyst at threat-detection software company TripWire.

The Codoso Group has been linked to large-scale attacks on major defense, finance and other organizations, including websites related to the Uyghur minority in China. It allegedly is affiliated with the government of China.

The hackers probably wanted access to LoopPay's code, possibly to develop the capability to collect information on individuals, Westin said.

Alex Holden, CEO of the consultancy Hold Security, agreed. Codoso may have ultimately wanted to know "who bought what, when," he said. For example, if an important individual made a purchase at a coffee shop in Los Angeles, an infiltrator could learn something about that person's travels.

And while LoopPay may have worked out the details of this particular breach, it's probably facing what security researchers call an advanced persistent threat, he said. That kind of attacker keeps coming back and probing different parts of a company's infrastructure looking for weaknesses and laying the groundwork for future infiltrations. Samsung should be worried, Westin said.

However, the attack shouldn't prevent consumers from using Samsung Pay, Westin said.

"I would be cautious, as you should be with any new sort of payment service, but I don't think this is a reason not to use the service at this time," he said.

LoopPay's network was breached in February, shortly before Samsung bought the Massachusetts startup for US$250 million, the Times said. The hackers were in the network for about five months before LoopPay discovered the breach in late August, when an organization tracking the Codoso Group found LoopPay's data.

That shows the startup may have had strong intrusion prevention tools but weak detection capabilities, Westin said. The most sophisticated hackers don't even use identifiable malware but but exploit components within a company's own systems, like Powershell on Windows. "For a lot of businesses, this is a big challenge now," he said.

Samsung Pay is the latest platform for wirelessly buying things with a mobile device by holding it up to a point-of-sale system. Like Apple Pay, it's designed to be more secure than traditional credit cards because each payment doesn't use the same card number. Instead, the system uses an encrypted token and certificate information that can only be used once, according to Samsung.

Samsung acquired LoopPay for a technology it developed, Magnetic Secure Transmission, that lets a mobile device emulate a magnetic stripe card. That helps Samsung Pay work with older payment systems.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleHoldenSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Lawson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place