LoopPay Breach Brings Fresh Attention to Third-Party Risk

Samsung may have a hard time convincing users of Samsung Pay that a breach of its LoopPay technology by Chinese hackers has nothing to do with payment card data or the security of the mobile wallet.

More importantly, the breach of the underlying LoopPay technology that Samsung acquired to accelerate its mobile wallet development illustrates the potential dangers of relying heavily on third-party technology providers.

"There's a very real risk associated with getting your technology through acquisition," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "Now, it's great for speed to market with a product or service, but it does reinforce the need for some very solid risk management and risk practices to bring that firm into the fold."

The notorious Codoso Group, also known as Sunshock Group, infiltrated LoopPay's computer network in attempt to steal the technology specifications months before Samsung Pay made its U.S. debut in late September, according to areport in The New York Times.

It was widely known that Samsung's addition of Burlington, Mass.-based startup LoopPay was based on the company's technology — the creation of a wireless signal that mimics the magnetic pulse of a plastic magstripe payment card.

Samsung has not fully absorbed LoopPay into its company, leaving it physically separated at this time, Conroy said. "So, it was a small company that maybe still had small company security and small company risks," she added.

Even before it was officially called LoopPay, the Magnetic Secure Transmission technology was garnering industry attention when it debuted in 2013, a time when the payments industry was uncertain about the future of Near Field Communication for contactless mobile payments. NFC has since been used as the basis for Apple Pay, but even that is limited to the availability of compatible NFC terminals. MST operates on older terminals that do not have NFC readers, enabling Samsung Pay to operate at significantly more locations than rival wallets.

"The Chinese are known for going after Internet intellectual property rather than card data," Conroy said. "LoopPay may be really focused on protecting all of its card data, but maybe some of its practices around intellectual property were not quite as robust."

LoopPay did not respond to inquiries regarding the breach report.

Credit monitor Experian Information Solutions Inc. faced a similar situation in early 2014 when a company it acquired two years earlier, Court Ventures, was victimized by a criminal using a Court Ventures account to hack and sell sensitive data on more than 200 million Americans.

In addition, the Chinese group that attacked LoopPay is also considered responsible for infiltrating the Forbes computer network.

"The LoopPay breach really highlights the threat," Conroy said. "These guys are really sophisticated."

Even if no card data is stolen as part of the LoopPay hack, the average U.S. consumer contemplating the use of mobile wallets is not going to differentiate between criminals stealing payment data or intellectual property, Conroy said.

"A breach is associated with Samsung Pay, so automatically it is a black eye in your average consumer's eye," she added.

However, even the most unsightly black eyes can heal. Earlier versions of Google Wallet (the precursor to Android Pay) and the Starbucks app were both criticized for their handling of PIN and password security. And Apple announced Apple Pay while it was still fending off backlash from the leak of private nude photos from its iCloud storage service.