Sophos Cloud Optix
Thieves may have nicked email addresses out of CurrentC, according to Merchant Customer Exchange (MCX), the group of merchants behind the mobile payment system that’s promising to put up stiff competition against Apple Pay and Google Wallet.
MCX on Wednesday night sent out an email about the breach, which it said happened sometime in the preceding 36 hours, affecting participants in the CurrentC pilot program and individuals who’d expressed interest in the app:
Here’s the message in its entirety:
Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.
In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.
MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.
CurrentC was already in headlines when retailers involved with the initiative, including CVS and Rite Aid, shut down Near Field Communication (NFC) in their stores over the weekend, locking out NFC-reliant competitors Google Wallet and Apple Pay.
Other MCX members, like Walmart and Best Buy, had already announced that they wouldn’t accept the new mobile payment method.
Customers who had used Apple Pay just fine up until that point suddenly found their e-wallets shut out of the major retailers.
It later emerged that those retail chains, as part of MCX, did so in anticipation of the arrival of CurrentC. CurrentC is built around QR code technology – the bar codes that retailers scan to ring up an order – as opposed to NFC.
The problem, according to the New York Times, was that the terms of the retailers’ MCX contract locked participating companies out of accepting competing mobile payment products like Apple Pay.
It’s just one early skirmish in a war between tech companies, credit card businesses, and retailers over how consumers will pay for things and who’ll get to benefit from the valuable data that credit card companies have been monopolizing: namely, the data regarding where we shop and what we buy.
Forrester sees mobile payments set to explode, pegging it at a potential $90 billion market by 2017.
It’s easy to see why merchants want to elbow Apple and Google out of the way: if they wrestle the ability to track shopping data away from credit card companies, they themselves could deliver to consumers targeted deals and loyalty points, which could in turn boost revenues.
One thing retailers particularly like about CurrentC: the system relies on users’ bank account data, rather than credit cards. Cutting out credit cards could save retailers money, given that they have to pay profit-nibbling transaction fees.
So should we worry about CurrentC getting its fingers into our bank accounts, given the recent data breach?
It isn’t a particularly big data breach – no payment data or other personal information, such as home addresses or phone numbers, were taken. But it’s a sign that our data perhaps isn’t being kept as securely as it should be.
If you’re a CurrentC customer, keep an eye on your emails and watch out for phishers.
CurrentC really needs to be taken to court. They are trying to bully Apple and Google, and forcing people to use a subpar service (QR codes for transactions and no fraud protection…really?). They realize their service sucks, as they do not have the genuises Apple and Google have to secure their own stuff and make it easier to use.
If given a choice I would take credit cards and bank card that came without NFC before accepting cards with PayPass or PayWave enabled cards. The same can be said for mobile payment schemes. The fact that companies like Apple, Google and CurrentC are all at the technological forefront is good, but at this articles shows more needs to be done to protect our data.
Here in Canada we’ve been using chip and pin for years now. With most retailers having made the switch by April 1, 2011 (the holdouts are incidentally held liable for all fraudulent transactions). The push I see with NFC payments in the US, while laudable, still lacks universal acceptance.
How’s this for an idea, mandate something that’s tried, tested and true (like chip and pin) and once your country has a firm handle on the financial security of your customers, (ie NOT using mag stripe) then look at adding bells and whistles. Mobile NFC payments are good, but there is still too much confusion between which retailer will accept whose mobile payment method.
My own approach is to disable NFC (either through my bank/FI or taking matters into my own hands) on all cards that are directly linked to my bank accounts. I trust my bank/FI to look after their bottom line before they’ll reimburse me the full amount. I much rather take the time to enter my 4 digit PIN than run risk of loosing money because someone with $70 worth of hardware was able to activate my NFC enabled card or trick my mobile device into divulging a payment token.
If a C$70 piece of hardware could crack chip-and-PIN, why hasn’t there been a huge wave of fraudulent transactions in Canada and other countries? Simple… it can’t.