Samsung confirms hackers were after its Samsung Pay technology, but denies it impacted payments data

Traditional database encryption is not good enough for mobile payments companies, warn security experts

Yesterday it was revealed that LoopPay, the US-created mobile payment systems acquired by South Korea-based electronics giant Samsung for more than $250 million, had been the target of a sophisticated cyber attack back in March.

It was discovered over five months later in August that hackers had breached the computer network of the Massechusets-based startup .

LoopsPay said the perpetrators, understood to be a group of governmnet-affiliated Chinese hackers, were after the company's technology, known as magnetic secure transmission or MST – central to the Samsung Pay mobile payment platform.

> See also: Will Android Pay pave the way for widespread mobile payments adoption?

According to a report by the New York Times, LoopPay executives that there was no indication any consumer data had been exposed, but that security experts were still looking through LoopPay's systems.

Samsung’s acquisition of LoopPay back in February, ahead of the launch of its S6 flagship model, has shown that mobile payments are at the centre of an aggressive push by the major players in the sector.

Could the transition from a physical to a digital wallet be happening faster than security technologies and processes can keep up, as consumers look for the fastest, most convenient and secure platforms to complete transactions?

> See also: The five contenders kicking off the mobile payment revolution in Europe

'We're confident that Samsung Pay is safe and secure,' said Samsung in a statement. 'Each transaction uses a digital token to replace a card number. The encrypted token combined with certificate information can only be used once to make a payment. Merchants and retailers can't see or store the actual card data.'

Mark Bower. global director, enterprise data security for HP Data Security warns that if you store, process and collect sensitive data, particularly payments data, your business is going to be on the radar of attackers.

'Forensics are a powerful tool to discover the extent of a breach, but by then the data is long gone,' says Bower. 'Any company today has to assume a breach will happen and take more advanced threat mitigation measures. The payments business has learned the lesson hard over the years, and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides.'

Today, the best-in-class businesses have a responsibility to secure the data itself, not just the infrastructure, securing billions of transactions representing trillions of dollars in value with new technologies like Format-Preserving Encryption and stateless tokenisation, adds Bower.

'The result is they don’t keep any live data anywhere it can be stolen. This is a huge shift from older perimeter or disk and database encryption approaches which simply can’t withstand advanced attacks like those reported in this case.'

This article is tagged with: