X

Samsung says customer payment data not affected by hack attack

A March attack was aimed at LoopPay, a payments company owned by Samsung, but the electronics giant insists customer data is safe.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
3 min read

Samsung Pay being used on a Samsung Galaxy S6 Edge. Sarah Tew/CNET

Customers who use the Samsung Pay mobile payments system weren't hurt by a hack attack on LoopPay, a company Samsung acquired to help power the service, the company said on Thursday.

LoopPay, which Samsung acquired in February to set up its payment system, was hit by a hacking incident in March, The New York Times reports. Samsung is seeking to reassure customers that their data is not at risk, saying it is "confident that Samsung Pay is safe and secure," according to a Samsung blog post. The South Korean company said the hack was "an isolated incident" that did not impact Samsung Pay, which runs on a physically separate network to LoopPay, at all.

The company announced Samsung Pay at Mobile World Congress in March 2015 and launched in the US last week, with more countries expected to get the service soon. With the technology in the spotlight, Samsung has a strong interest in it being perceived as trustworthy.

Smartphones are increasingly being equipped with payment technologies that provide a convenient alternative to paying by cash and card. So far in 2015, we have seen Apple, Google and Samsung launch competing mobile payments services. But just as with online payments and mobile banking, consumers will need to know they can trust the services to handle their money securely before they will achieve the same ubiquity as credit and debit cards.

The Samsung Pay tokenisation system, which issues a store an encrypted digital token instead of a credit or debit card number each time a payment is made, means that merchants and retailers cannot ever see customer data, Samsung said. Apple Pay and other mobile wallet services also rely on tokenisation.

The LoopPay incident related solely to the office network handling only email, file sharing and printing, Samsung's blog post said. As soon as the attack was discovered, independent professionals dealt with it quickly, and the company put extra safeguards in place to protect against future attacks.

A government-affiliated Chinese hacker group known as the Codoso Group or Sunshock Group was responsible for the attack, The New York Times said. LoopPay believes they were trying to steal the company's magnetic strip technology -- the primary reason Samsung bought the company.

Magnetic strip technology, or MST, sets Samsung Pay apart from Apple Pay, Android Pay and other competitors. Most smartphone payment services can only be used when a store has installed a contactless card terminal. That's used by tapping a phone or communication-enabled card against the payment station. Many stores around the world, however, still rely on older terminals that require cards to be swiped against a magnetic strip. With MST, you can pay with your smartphones even at shops or other locations that still use these older terminals. Resting your phone against the magnetic strip reader enables a wireless payment, just as if you were paying at a contactless terminal.

Samsung says its payments system is off to "an amazing start," with customers reporting that they are "overwhelmingly satisfied". The company still has much to prove though, having only launched so far in two markets. Apple Pay, which launched slightly earlier and is already up and running in the UK, Australia and many other countries, has had more of a head start. And Android Pay is a more direct rival to Samsung Pay given that both services will be available on Samsung phones.