NEW YORK (MainStreet) — The news is frightening: sophisticated hackers got into the corporate system of Burlington, Mass. based payments innovator LoopPay, now part of Samsung and the provider of much of the brains behind Samsung Pay, its Apple Pay competitor that launched in the U.S. in late September.
Users of Samsung Pay need to ask if it remains safe to use the service.
That is why Samsung has launched a full court press to quiet consumer and merchant worries. Said the company in a statement: “Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network from Samsung Pay. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay. Samsung is extremely committed to securing and protecting user data to the highest industry standards.”
Experts readily dissected the Samsung statement.
“Samsung is clearly trying to downplay what occurred,” said Peter Toren, cybersecurity attorney with Weisbrod Matteis & Copley in Washington, D.C. and author of Intellectual Property and Computer Crimes (Law Journal Press, 2015). Toren threw out two key questions that yet to have been answered: “How long were the hackers in the system? What were they trying to accomplish?” He suggested that Samsung’s comparative stinginess with details is a barrier to feeling reassured.
Christopher Budd, a security expert with Trend Micro, tossed out a more worrisome thought: “It looks as though Samsung may have been the ultimate target.” His thinking: proven hacker methodology is to find a weak link - an HVAC contractor, say - and leverage from that system into the objective. For example, the Target breach happened, in part, because of weaknesses at its HVAC contractor. That is a standard gambit. So maybe LoopPay could have led into Samsung - but there is no proof that occurred.
Another theory - put forth by several security experts - is that the hackers, said by the New York Times to be the Codoso Group, who are affiliated with the Chinese government, were after intellectual property, perhaps even the source code behind LoopPay, clever technology that lets a phone spoof a credit card terminal into believing it is in fact a credit card. That tech - aka Magnetic Secure Transmission - lets Samsung Pay (unlike Apple Pay or Android Pay) work on just about every point of sale terminal in the U.S., not just fancy new devices with the Near Field Communications required by Apple and Android Pay.
That is a special sauce that lets Samsung claim its mobile payments work on many millions more than will accept Apple Pay or Android Pay and Samsung Pay works on the new terminals too.
But users of Samsung Pay have to ask themselves if use of the payments tool puts their data in jeopardy. There likely are not that many users -- in the U.S. the tool has been available only a couple weeks and it works only on late model Samsung devices, Galaxy S6, the S6 Edge and Edge+ and the Note 5 -- so this is a critical moment for Samsung Pay.
Is Samsung Pay safe? Lawyer Toren admitted that he would not use it. “I would not be comfortable using Samsung Pay," he said. "There are alternatives.” He is right about that. Android Pay, from Google, ought to work on the same devices that Samsung Pay does. So device owners have a clear choice.
Chenxi Wang, chief strategy officer at security company Twistlock, also offered skepticism: “As a Samsung Pay user, I deleted my credit card from the system and will stop using the service for at least a while. I am sure the server already has my credit card information, so I'll be putting a fraud alert on my credit.”
An unexpected endorsement of Samsung Pay came from identity theft expert Robert Siciliano who, when asked if he would use it, said he would.
"Here's the deal: your card data is more at risk when handed over to a gas station attendant," he said. "And, everyone should expect card fraud every month, which is why they should watch their statements closely.”
A related fact is that fraud related to a credit or debit card used on mobile payments receives the same legal protections accorded a plastic card. That is, credit card fraud is usually capped at $50. Debit card fraud losses can be substantially higher, a reason many experts counsel using debit cards selectively.
Siciliano is right. But, said Toren, “it’s just not worth the hassles.” Fraud has to be disputed followed by a whole rigmarole. Right now - with so much unknown about what the hackers did and what they got away with -- Toren said the risks outweigh any possible benefits.
He added: “This is definitely a black eye for Samsung in its competition with Apple Pay.”