Chinese hackers infiltrated LoopPay, whose tech is central to ‘Samsung Pay’

“Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers,” Nicole Perlroth and Mike Isaac report for The New York Times. “As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.”

“LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet that made its public debut in the United States last week,” Perlroth and Isaac report. “Both LoopPay and Samsung executives said they were confident that they had removed infected machines, and that customer payment information and personal devices were not affected. They added that there was no need to delay the introduction of Samsung Pay, which had its debut in the United States last week after executing more than $30 million worth of purchases in South Korea.”

“But two people briefed on the investigation, as well as security experts who have been tracking the Codoso hackers as they have targeted hundreds of victims around the world, said it would be premature to say what the hackers did and did not accomplish since they were discovered in August,” Perlroth and Isaac report. “To start, the hackers were inside LoopPay’s network for five months before they were discovered. And the Codoso Group is known for maintaining a hidden foothold in its victims’ systems. Security experts say the group’s modus operandi is to plant hidden back doors across victims’ systems so that they continue to infiltrate their networks long after the initial breach.”

“After a similar attack by another Chinese state-affiliated hacking group on the U.S. Chamber of Commerce in 2011, the chamber believed it had rid hackers from its network only to discover months later that an office printer and even a thermometer in one of its corporate apartments were still sending information back to computers in China,” Perlroth and Isaac report. “Samsung introduced Samsung Pay in the United States just 38 days after LoopPay learned it had been breached. On average, it takes 46 days before an attack by hackers can be fully resolved, according to the Ponemon Institute, a nonprofit that tracks breaches. But the time to fix the damage is typically much longer in cases of sophisticated Chinese hackings like the one at LoopPay.”

Much more in the full article here.

MacDailyNews Take: Anyone who trusts Samsung Pay is either batshit insane or already insolvent.

Struggling Samsung delays rollout of mobile payment service – June 3, 2015
Google demos Apple Pay wannabe, ‘Android Pay’ – May 28, 2015
Apple Pay stands to gain from MCX’s CurrentC disarray – May 18, 2015
MCX CEO gone a day after Apple Pay lands Best Buy – April 28, 2015
Best Buy capitulates, to accept Apple Pay despite CurrentC allegiance – April 27, 2015
Samsung’s LoopPay payment move creates friction with Google – February 20, 2015
Major retailers see Apple Pay wave – November 17, 2014
In only 3 weeks, Apple Pay is changing how consumers pay – November 17, 2014
Boycott CVS and Rite Aid – October 27, 2014
Bad business: CVS and Rite Aid antagonize their most well-heeled customers by blocking Apple Pay – October 27, 2014
CVS stores reportedly disabling NFC to shut down Apple Pay – October 25, 2014
iPhone users earn significantly more than those who settle for Android phones – October 8, 2014
Yet more proof that Android is for poor people – June 27, 2014
More proof that Android is for poor people – May 13, 2014
Apple’s iOS dominates in richer countries, Android in poorer regions – March 25, 2014
Twitter heat map shows iPhone use by the affluent, Android by the poor – June 20, 2013
iPhone users smarter, richer than Android phone users – August 16, 2011
Yankee Group: Apple iPhone owners shop more, buy more, remain more loyal vs. other device users – July 20, 2010

[Thanks to MacDailyNews Readers “Fred Mertz,” “Wing thing,” and “Sparkles” for the heads up.]


  1. This paragraph from yahoo! Finance is a HOOT!

    The day will come. Android will have a breach of Biblical proportions.

    Don’t install apps from unknown sources, but don’t assume every single app on the Google Play or Apple iTunes store is reliable. SC Magazine found last month that “in Google Play… 30,552 of 401,549 apps were malicious.” Apple is much more restrictive in vetting the apps that are approved for release via iTunes (and their OS is often more resistant to malware as a result of their controls), but this comes at a cost of the flexibility Android users often prefer.

    Here is the entire read.

    SuckDroid is more holy than Swiss Cheeeez. What a joke.

    Android Google users are SO omnipotent and FCKIN STUPID!

  2. Security experts say the group’s modus operandi is to plant hidden back doors across victims’ systems so that they continue to infiltrate their networks long after the initial breach.

    This sounds like what China (via the government sponsored ‘Red Hacker Alliance’) did to US federal computers exposed to the Internet. The US feds finally admitted this had been going on for some time as of 2007.

    1. MacDailyNews Take: Anyone who trusts Samsung Pay is either batshit insane or already insolvent.

      The worst thing Samsung Pay does is allow lazy, cheap, stupid companies to keep their POS POS devices running Windows XP Embedded, card scanners that keep customer data In-The-Clear in RAM, ripe for the picking. This is precisely what happened at Target and countless other companies, resulting in multi-millions of customer credit cards being stolen then sold to the highest bidders over the Internet.

      So do NOT use Samsung Pay if you value your identity, privacy, credit card number, etc.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.