[NewsPoster]

Prior to Samsung Pay's rollout, the technology at its core may have been stolen. LoopPay, the company at the core of the technology, had its corporate network broken into by the Codoso Group, the same hacker collective who penetrated Forbes' security, and hosted malware to its readers. Both Samsung and LoopPay claim that customer information and transaction data was never at risk -- but the hacking collective was after data about the system itself.

LoopPay's technology has the potential to work in approximately 90 percent of existing point-of-sale (POS) terminals, according to Samsung research, with no investment in new infrastructure required by merchants. The company's version of the digital wallet concept can store and use a wide variety of mag-stripe cards, including debit and credit cards, private label cards, gift cards loyalty cards, and rewards cards.

Access to the LoopPay app and data is password and PIN-protected. LoopPay encrypts and stores all card-track data in secure memory within any LoopPay device, but does collect data on customer habits, purchases and financial information -- unlike rival Apple Pay -- and passes that data onto marketers, merchants, and others.

Samsung is downplaying the penetration. A statement made to the New York Times about the security lapse claims that "Samsung Pay was not impacted, and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately, and had nothing to do with Samsung Pay."

It is accurate that no personal information for customers was stolen: the hackers were after information on the LoopPay/Samsung Pay system, according to LoopPay itself. However, the statement about the speed of the fix is incorrect -- it may very well have been resolved immediately after discovery, but the LoopPay corporate network was compromised for up to five months before the discovery.

LoopPay claims that security experts were hired before the Samsung Pay launch in late August, and are still working out exactly what happened. It did not find the breach itself -- a separate security group told the company of the breach while poring through Codosco Group evidence in a different investigation.

The CEO of LoopPay also notes that there was no indication of a breach at Samsung, and reiterates that consumer data was not stolen. Samsung and LoopPay claim that there are no infected machines remaining on any network. Law enforcement has not been involved, because of the belief that customer data or company financial information has not been stolen.

Codoso's targets aren't so easily cleansed of infection. The Forbes attack was multi-pronged, and lasted for weeks before and after the initial attempts. Using data and footholds gleaned from that attack, the hackers penetrated some Department of Defense systems. An attack on the US State Department was thought to be cleaned in 2011, but malware and surveillance software persisted for years after the attack.

The head of intelligence on cyber espionage at security firm iSight Partners says of the hackers that "once Codoso compromises their targets -- which range from dissidents to c-level executives in the US -- they tend to stay there for quite a long time, building out their access points so they can easily get back in. They'll come back to a previous organization of interest again and again."

[pairof9s]

You won't see or hear anything on this in the national media because it seems a minor, non-issue. Had this been Apple Pay, it would have been "Bendgate" Part 2. It's pretty ridiculous the overt sensitivity Apple products receive in comparison to their counterparts...and the obligatory "Fanboy" hate posts that follow.

At least, I'm on the side of the fence where I own an iPhone and know this is all inconsequential to using & enjoying it.

[Mike Wuerthele]

I think it would be minor if it wasn't Codoso. Also, the big picture is that the corporate network was broken, and I'm not thrilled about the blatant lie in the statement about bit.

Five months is a long time for other computers peripherally connected to be infected, too. If the technology is stolen, then I think this has ramifications for the future security of the system. We'll see.

Sometimes you need to write an article for a foundation for the future. We'll be hearing more about this going forward.

[aroxnicadi]

Another good reason that I won't trust ApplePay until their secuirty is air tight, which with software and firmware will never be.

[Mike Wuerthele]

SP uses a different underpinning than AP. I'm assuming you mean generally, rather than thinking that this article has anything to do with AP, Arox.

[Charles Martin]

aroxnicadi: feel free to submit to us all those reports you have of Apple Pay being breached.

[climacs]

if you want perfect security, aroxnicadi, I suppose you could just go to using cash... oh but even cash is not 100% secure.

[Charles Martin]

Unlike a card entered into Apple Pay, cash is very easy to steal, and spend, without the other person's fingerprint.