Samsung is evolving. It won’t stay as device manufacturer forever. As the market grows, there is always a chance to expand the company. This time, the company seek for developing its own mobile payment system: LoopPay. However, before the system reached public, there was a huge security problem. This under-development project was hacked by a group of Chinese hackers.

Hacking illustration

Wait, Chinese hackers? Again?

Yes, once again they were Chinese hackers. However, this time they didn’t work alone. Many security experts believe the government was behind the LoopPay attack. For what reasons, we don’t know. Maybe they’re just curious about the new system. Perhaps, they want to test their new hacking method. Well, the reason is still unclear. However, there is one thing we learn. When government began promoting hacking, who knows when it will hack our privacy?

Now, back to our topic 🙂

What Happened to LoopPay?

The first attack on LoopPay was occurred in March. It was targeting the company’s computer network at Burlington, Mass. The attacker were later identified as Sunshock Group. This hacking group is quite popular for their affiliation with the Chinese government. That’s why some people assume there might be political interest in this attack.

The attack seemed to be well prepared. Later investigation revealed that all evidences lead to LoopPay’s MST technology. This Magnetic Secure Transmission (MST) is a key technology behind Samsung’s new mobile payment system. That’s the one the company published last week in the United States.

Like other mobile payment systems, Samsung Pay allows its users to purchase goods using their Samsung smartphones. Using NFC technology, Samsung Pay will send the user’s information from the device to cash registers. All done via wireless connection. However, unlike NFC, LoopPay’s MST is unique. In fact, it’s better than other similar technologies. It is compatible with older payment systems. How’s it possible? It works perfectly as an emulator of your magnetic stripe cards. It means, you don’t have to find an NFC-compatible register to use Samsung Pay. It’s brilliant, isn’t it?

With Samsung Pay, you barely need to bring your card wherever you go

The attack “successfully” breached into the corporate network, stealing data. However, they never touched the production system. It’s important to keep this system safe as it manages payment. Unimaginable amount of user’s financial information will be leaked only if the production system was breached. We don’t think it’s a coincidence that the hackers missed that line. Perhaps, they just didn’t know how to breach it. Well, at least, that brings good news to Samsung users.

The not-so-good news is LoopPay itself didn’t recognize the breach. At least, until late of August. That’s pretty scary, if we might say. Someone broke into your house and stole your things. Yet, you didn’t realize it until 5 months later, someone came to you telling you that incident. In LoopPay’s case, it would be an organization which had been tracking Sunshock activities for months, while searching through LoopPay’s data. If that moment, that organization never came, perhaps you’d see lots of suspicious purchase in your bill right now.

Samsung and LoopPay claimed they have solved the issue. Yet, we still question on why it took 5 months until they realized the attack. What happened to their security system? Even a single day would leaked countless data to the web. Five months? We couldn’t imagine how serious the damage is. So, why Samsung still insisted to launch their Samsung Pay on schedule? Wouldn’t be it too risky?

As long as they eliminated the threat, it won’t be. All infected machines had been removed. All personal devices are not infected. Besides, both companies are certain that no customer payment information was touched. So, with these facts, they believe there’s no reason for them to uphold the product launch. The question is: did they tell the truth?

We’ve investigated plenty security issues before we LoopPay. Through years we passed, we learn one key fact. It would be too premature to say the threat is eliminated. Particularly, if you found the threat 5 months later. Only the hackers know what they did. Only them who know when their attack has ended.

If we were the hackers, we won’t hack like a newcomer. Instead, we’d make you believe that the threat is eliminated. While making you believe that, we’d plant secret back doors in your system. Even if you check your security, these doors would remain hidden. This way, whenever we want, we can use the doors to sneak in. You won’t realize until you lose something. That time, you won’t find us as we’d have run away.

So, please tell us. Do you believe the LoopPay has ended?

Do You Mean the LoopPay Attack Will Continue?

If you learn the hackers’ pattern, this is the best guess we have. For example, many people believe their attack on Forbes was targeted only to the website. The fact is, it didn’t. The hackers planted malicious script that infected the Forbes’ visitors. As if it wasn’t enough, the attack continued with the second wave. Other group members used the victims to search for ‘easy’ targets in the US defense sector. All began with a simple attack on Forbes. No one thought about the second wave.

Hacking: Friend or Enemy?

Let’s take a look at another example. In 2011, a hacking group attacked the U.S. Chamber of Commerce. Even though the attacker wasn’t Sunshock, both attacks have similar pattern. Soon after the attack, the system got fully cleaned. Authorities claimed no threat left. Yet, few months later, they found the truth. Their system was still sending data to the hackers. Everything happened right under their nose.

What Can We Learn from LoopPay Attack?

Samsung Pay hit the public 38 days after the PayLoop attack. Typically, security experts need 46 days to fully resolve a breach. However, this is only for common security breach. In more complicated case, like LoopPay, it demands longer time. Does that mean no one can resolve the problem within 38 days? Well, there might be someone who can. However, it’s important to remember than Sunshock attack is unique. The malicious scripts remain hidden in the victim’s system for a long time. Meanwhile, they’ll build their access points. Therefore, whenever the hackers wants to get back in, it can be easily done. Everything done without anyone notices.

On August 21, LoopPay hired two so-called private forensic teams. Their job is to investigate the breach. However, there’s something unusual about the investigation. Typically, a company would assign both teams to investigate the network together, but not in this case. LoopPay hired both teams to investigate the network from 2 different portions. It means you can only investigate half part of the network. If somehow the issue lies on the other part of the network, there’s nothing you can do about it. That’s what happened to one of the security firms. Sotoria, the security firm, received a backup of LoopPay’s data. Three days later, they must leave their work.

Pretty weird, isn’t it? Why the company fired the agency? Someone inside told us the reason. The agency appeared to broke the contract. They attempted to ‘extend’ their service. Unfortunately for them, the company considered this as fraud. Three days later, the contract was ended. The agency went out, but there is one interesting fact. Even though after this case, LoopPay still working with them. So, tell me. What happened there?

So, How Serious is the LoopPay Attack?

 There is a serious concern here. First, Sunshock is a popular hacking group. Second, Samsung Pay is the first in its class. So, tell, what will happen when a technology breakthrough meets hackers? Disaster.

Hacker + Technology : Something Beyond Our Dream

There are two possibilities here. First, Sunshock may use the stolen information to breach Samsung Pay. Second, they might copy Samsung Pay.

Both ways are dangerous. If they breached Samsung pay, your data will never be safe. If Sunshock created the copycat product, you won’t be able to spot the difference. That’s it, the end of your privacy. The worst is: it maybe the beginning.

If Sunshock was affiliated with Chinese government, it might turn to a disaster. When hackers get affiliated with government, there’s only one result. They are also affiliated with credit card carries, companies, and banks. In this case, not even LoopPay can fight them. In this case, not even a lawsuit would work.

Is there anything I can do to stay safe?

There is only one rule in online safety. Keep your personal information to yourself. Don’t give it to anyone. What about my family? Should I keep that information from them, too? Well, only if you trust them completely, you can hand it to them. Sometimes, even your own family may turn their back to you. We don’t want to hurt you, but that’s the fact. Even people from LoopPay understands that.

I’ve decided whom I trust. What’s next?

Next, you need to protect yourself. In online privacy, you’re not dealing with common person. You’re dealing with cyber criminals. They dedicate their life to steal your information. Some of them even won’t give up until they take down your system. Once they marked the target, there’s no stop to them. Their malicious scripts will attack your system until it’s vulnerable. Take a look at LoopPay case if you don’t believe. So, think about these points first. Do you know who you deal with? Do you have resources to fight them?

If not, then you better find something that can help you. In this case, we recommend VPN Asia. Wanna find out why we recommend it? Check out this article 🙂 You’ll love it.