Partners Raise Red Flags On Mobile Payment Security Risks After LoopPay Attack

Solution providers are pointing to security risks they see as inherent in mobile payment systems after it was discovered that the technology behind Samsung's new Samsung Pay mobile payment platform, LoopPay, was hacked.

According to a report in the New York Times, Burlington, Mass.-based LoopPay's corporate network was the target of an attack by a group of government-associated Chinese hackers as early as March.

LoopPay did not respond to a request for comment from CRN before publication.

[Related: Mobile Payment Head-To-Head: LoopPay Vs. Apple Pay]

Samsung responded to CRN's request for comment by saying that the breach did not affect the personal information of people using the payment network, and that the corporate network issue was resolved quickly.

According to a Samsung spokesperson: ’Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network from Samsung Pay. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay. Samsung is extremely committed to securing and protecting user data to the highest industry standards.’

Samsung in February revealed plans to buy LoopPay, which touts its Magnetic Secure Transmission technology as an advanced contactless payment offering that turns existing mag stripe readers into mobile contactless receivers.

LoopPay technology powers Samsung Pay, which launched in the U.S. last week. The payment system's Magnetic Secure Transmission allows consumers to tap their smartphones against the magnetic stripe reader machines available in most retail stores.

LoopPay executives, who learned of the attack in August, said they believe attackers broke into the company's corporate network, but not the product system that helps manage payments. But solution providers warn that these risks still lie in any type of mobile payment system.

"I don't think this hack is really going to get to any personal information, so it isn't of any concern yet," said Steven Kantorowicz, president of CelPro Associates, a Samsung partner based in New York. "[But customers] definitely should be concerned about a mobile payment system if it can be hacked for customer personal information and credit information."

Solution providers who offer mobile device management and mobile security services said enterprise customers are hesitant to take on mobile payments because of these security threats.

"We have seen a very slow uptake on mobile payments, primarily due to security concerns," said Jay Gordon, vice president of sales at Enterprise Mobile, a Plano, Texas-based solution provider. "Many of our customers have witnessed a myriad of security breaches in the industry that have made them resistant to mobile payment adoption and confidence."

CelPro's Kantorowicz said large enterprise customers he deals with are not yet opening up mobile payment system opportunities to their employees, and want to wait until the platforms have been tested more in the consumer market.

"I think there's a waiting period in the enterprise. … The success of mobile payment systems will be driven by the consumers and then go to the enterprise," he said. "It's a tremendous market for users as long as companies can keep their mobile payment platforms secure. It's just convenient for users to not have to carry a wallet and a stack of loyalty cards around in their pocket."

LoopPay offers several security features, such as password and PIN-protected data. The company also says it stores and encrypts all card-track data in secure memory within the LoopPay device.

Its technology has the potential to work in 90 percent of existing point-of-sale terminals, Samsung said, citing internal research.

PUBLISHED OCT. 8, 2015