Just days after the Korean electronics manufacturer, Samsung, launched its new mobile payment software in the U.S., the company announced that the technology behind the service was hacked.
Earlier this year, Samsung acquired the American technology startup, LoopPay. The company, founded in 2012, developed a cell phone case and corresponding application that would enable customers to pay for items with their phones rather than swiping their credit card.
When Samsung purchased the company in February of this year, it used its infrastructure, software and hardware designs to create Samsung Pay, a mobile payment application that does not require a case, as prior LoopPay products had.
Unfortunately for Samsung, LoopPay was hacked shortly after the acquisition, as early as this past March, according to a report in The New York Times.
The Times explained that the attack was performed by the Codoso, or sometimes known as Sunshock, Group, which is affiliated with the Chinese government. The attack seems to be a case of corporate espionage, with Codoso looking for the secrets behind LoopPay's magnetic secure transmission (MST) technology.
LoopPay was one of many companies created at around the same time with the goal of making a "smart card," which is a device that stores credit card information, allowing customers to use it in place of a credit card. MST made LoopPay's product unique, as it could work with older point of sale hardware by emulating the way magnetic strip credit cards work.
Samsung used the work LoopPay had done to build a competitor to Apple Pay and Android Pay with Samsung Pay, which ditches MST in favor of near field communication technology. Though the Korean manufacturer no longer seems interested in MST, it would seem that China is.
Because initial indications claim that the goal of the attack was to steal MST, any potential credit card information shouldn't be affected, but as the investigation is still ongoing, customers should be monitoring their credit statements closely.
If when acquiring or working with another company, it is important to ensure that their disaster recovery planning process incorporates robust network and data security standards.